Edit tour

Windows Analysis Report
hcy2SdW2z6.exe

Overview

General Information

Sample name:	hcy2SdW2z6.exe renamed because original name is a hash value
Original sample name:	fa5584ac7257747136c877bd58182430e2d23d5c6b4eff9ab240fcaefe526ee5.exe
Analysis ID:	1634875
MD5:	0cd8e4dd97ae7994490cbf435272c182
SHA1:	1206bbeff9be5a99ab8202acc8ccf93dafa1d269
SHA256:	fa5584ac7257747136c877bd58182430e2d23d5c6b4eff9ab240fcaefe526ee5
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

hcy2SdW2z6.exe (PID: 7704 cmdline: "C:\Users\user\Desktop\hcy2SdW2z6.exe" MD5: 0CD8E4DD97AE7994490CBF435272C182)

powershell.exe (PID: 7812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7536 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7868 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7892 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

hcy2SdW2z6.exe (PID: 8176 cmdline: "C:\Users\user\Desktop\hcy2SdW2z6.exe" MD5: 0CD8E4DD97AE7994490CBF435272C182)

svchost.exe (PID: 8068 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

zZlsXaceOG.exe (PID: 7440 cmdline: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe MD5: 0CD8E4DD97AE7994490CBF435272C182)

schtasks.exe (PID: 4688 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zZlsXaceOG.exe (PID: 504 cmdline: "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe" MD5: 0CD8E4DD97AE7994490CBF435272C182)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k/sendMessage?chat_id=5217421430", "Token": "5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k", "Chat_id": "5217421430", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3639199357.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14885:$a1: get_encryptedPassword 0x14b71:$a2: get_encryptedUsername 0x14691:$a3: get_timePasswordChanged 0x1478c:$a4: get_passwordField 0x1489b:$a5: set_encryptedPassword 0x15eeb:$a7: get_logins 0x15e4e:$a10: KeyLoggerEventArgs 0x15ab9:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x38d8:$x1: $%SMTPDV$ 0x22bc:$x2: $#TheHashHere%& 0x3880:$x3: %FTPDV$ 0x225c:$x4: $%TelegramDv$ 0x38a4:$m2: Clipboard Logs ID 0x3ae2:$m2: Screenshot Logs ID 0x3bf2:$m2: keystroke Logs ID 0x3ecc:$m3: SnakePW 0x3aba:$m4: \SnakeKeylogger\
00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14d7d:$a1: get_encryptedPassword 0x3579d:$a1: get_encryptedPassword 0x55fbd:$a1: get_encryptedPassword 0x15069:$a2: get_encryptedUsername 0x35a89:$a2: get_encryptedUsername 0x562a9:$a2: get_encryptedUsername 0x14b89:$a3: get_timePasswordChanged 0x355a9:$a3: get_timePasswordChanged 0x55dc9:$a3: get_timePasswordChanged 0x14c84:$a4: get_passwordField 0x356a4:$a4: get_passwordField 0x55ec4:$a4: get_passwordField 0x14d93:$a5: set_encryptedPassword 0x357b3:$a5: set_encryptedPassword 0x55fd3:$a5: set_encryptedPassword 0x163e3:$a7: get_logins 0x36e03:$a7: get_logins 0x57623:$a7: get_logins 0x16346:$a10: KeyLoggerEventArgs 0x36d66:$a10: KeyLoggerEventArgs 0x57586:$a10: KeyLoggerEventArgs
00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19dd0:$x1: $%SMTPDV$ 0x3a7f0:$x1: $%SMTPDV$ 0x5b010:$x1: $%SMTPDV$ 0x187b4:$x2: $#TheHashHere%& 0x391d4:$x2: $#TheHashHere%& 0x599f4:$x2: $#TheHashHere%& 0x19d78:$x3: %FTPDV$ 0x3a798:$x3: %FTPDV$ 0x5afb8:$x3: %FTPDV$ 0x18754:$x4: $%TelegramDv$ 0x39174:$x4: $%TelegramDv$ 0x59994:$x4: $%TelegramDv$ 0x15fb1:$x5: KeyLoggerEventArgs 0x16346:$x5: KeyLoggerEventArgs 0x369d1:$x5: KeyLoggerEventArgs 0x36d66:$x5: KeyLoggerEventArgs 0x571f1:$x5: KeyLoggerEventArgs 0x57586:$x5: KeyLoggerEventArgs 0x19d9c:$m2: Clipboard Logs ID 0x19fda:$m2: Screenshot Logs ID 0x1a0ea:$m2: keystroke Logs ID
00000008.00000002.3644481905.0000000002D92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x156ed:$a1: get_encryptedPassword 0x3610d:$a1: get_encryptedPassword 0x5692d:$a1: get_encryptedPassword 0x159d9:$a2: get_encryptedUsername 0x363f9:$a2: get_encryptedUsername 0x56c19:$a2: get_encryptedUsername 0x154f9:$a3: get_timePasswordChanged 0x35f19:$a3: get_timePasswordChanged 0x56739:$a3: get_timePasswordChanged 0x155f4:$a4: get_passwordField 0x36014:$a4: get_passwordField 0x56834:$a4: get_passwordField 0x15703:$a5: set_encryptedPassword 0x36123:$a5: set_encryptedPassword 0x56943:$a5: set_encryptedPassword 0x16d53:$a7: get_logins 0x37773:$a7: get_logins 0x57f93:$a7: get_logins 0x16cb6:$a10: KeyLoggerEventArgs 0x376d6:$a10: KeyLoggerEventArgs 0x57ef6:$a10: KeyLoggerEventArgs
00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a740:$x1: $%SMTPDV$ 0x3b160:$x1: $%SMTPDV$ 0x5b980:$x1: $%SMTPDV$ 0x19124:$x2: $#TheHashHere%& 0x39b44:$x2: $#TheHashHere%& 0x5a364:$x2: $#TheHashHere%& 0x1a6e8:$x3: %FTPDV$ 0x3b108:$x3: %FTPDV$ 0x5b928:$x3: %FTPDV$ 0x190c4:$x4: $%TelegramDv$ 0x39ae4:$x4: $%TelegramDv$ 0x5a304:$x4: $%TelegramDv$ 0x16921:$x5: KeyLoggerEventArgs 0x16cb6:$x5: KeyLoggerEventArgs 0x37341:$x5: KeyLoggerEventArgs 0x376d6:$x5: KeyLoggerEventArgs 0x57b61:$x5: KeyLoggerEventArgs 0x57ef6:$x5: KeyLoggerEventArgs 0x1a70c:$m2: Clipboard Logs ID 0x1a94a:$m2: Screenshot Logs ID 0x1aa5a:$m2: keystroke Logs ID
0000000D.00000002.3644075067.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.3644075067.0000000002A91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.3644481905.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hcy2SdW2z6.exe PID: 7704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hcy2SdW2z6.exe PID: 7704	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hcy2SdW2z6.exe PID: 7704	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hcy2SdW2z6.exe PID: 7704	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa4cff:$a1: get_encryptedPassword 0xa4fe1:$a2: get_encryptedUsername 0xa4b15:$a3: get_timePasswordChanged 0xa4c10:$a4: get_passwordField 0xa4d15:$a5: set_encryptedPassword 0xa71e9:$a7: get_logins 0xa714c:$a10: KeyLoggerEventArgs 0xa6db7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: hcy2SdW2z6.exe PID: 7704	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xa6db7:$x5: KeyLoggerEventArgs 0xa714c:$x5: KeyLoggerEventArgs 0xa7a53:$x5: KeyLoggerEventArgs 0xa7db4:$x5: KeyLoggerEventArgs 0xa9377:$m2: Clipboard Logs ID 0xa947d:$m2: Screenshot Logs ID 0xa94d3:$m2: keystroke Logs ID 0xa9608:$m3: SnakePW 0xa9469:$m4: \SnakeKeylogger\
Process Memory Space: hcy2SdW2z6.exe PID: 8176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: hcy2SdW2z6.exe PID: 8176	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: hcy2SdW2z6.exe PID: 8176	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1784:$a1: get_encryptedPassword 0x1a66:$a2: get_encryptedUsername 0x159a:$a3: get_timePasswordChanged 0x1695:$a4: get_passwordField 0x179a:$a5: set_encryptedPassword 0x3c6e:$a7: get_logins 0x3bd1:$a10: KeyLoggerEventArgs 0x383c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: zZlsXaceOG.exe PID: 7440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zZlsXaceOG.exe PID: 7440	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: zZlsXaceOG.exe PID: 7440	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: zZlsXaceOG.exe PID: 7440	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149ae:$a1: get_encryptedPassword 0x14c90:$a2: get_encryptedUsername 0x147c4:$a3: get_timePasswordChanged 0x148bf:$a4: get_passwordField 0x149c4:$a5: set_encryptedPassword 0x16e98:$a7: get_logins 0x16dfb:$a10: KeyLoggerEventArgs 0x16a66:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: zZlsXaceOG.exe PID: 7440	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16a66:$x5: KeyLoggerEventArgs 0x16dfb:$x5: KeyLoggerEventArgs 0x17702:$x5: KeyLoggerEventArgs 0x17a63:$x5: KeyLoggerEventArgs 0x19026:$m2: Clipboard Logs ID 0x1912c:$m2: Screenshot Logs ID 0x19182:$m2: keystroke Logs ID 0x192b7:$m3: SnakePW 0x19118:$m4: \SnakeKeylogger\
Process Memory Space: zZlsXaceOG.exe PID: 504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zZlsXaceOG.exe PID: 504	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: zZlsXaceOG.exe PID: 504	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28296:$m2: Clipboard Logs ID 0x2839c:$m2: Screenshot Logs ID 0x283f2:$m2: keystroke Logs ID 0x28527:$m3: SnakePW 0x28388:$m4: \SnakeKeylogger\
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.zZlsXaceOG.exe.4511d18.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.zZlsXaceOG.exe.4511d18.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.zZlsXaceOG.exe.4511d18.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
9.2.zZlsXaceOG.exe.4511d18.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
9.2.zZlsXaceOG.exe.4511d18.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
9.2.zZlsXaceOG.exe.4511d18.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
13.2.zZlsXaceOG.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.zZlsXaceOG.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
13.2.zZlsXaceOG.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data
13.2.zZlsXaceOG.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID 0x1a0cc:$m3: SnakePW 0x19cba:$m4: \SnakeKeylogger\
0.2.hcy2SdW2z6.exe.4a10c68.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hcy2SdW2z6.exe.4a10c68.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hcy2SdW2z6.exe.4a10c68.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
0.2.hcy2SdW2z6.exe.4a10c68.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
0.2.hcy2SdW2z6.exe.4a10c68.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
0.2.hcy2SdW2z6.exe.4a10c68.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
0.2.hcy2SdW2z6.exe.4a31688.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hcy2SdW2z6.exe.4a31688.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hcy2SdW2z6.exe.4a31688.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
0.2.hcy2SdW2z6.exe.4a31688.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
0.2.hcy2SdW2z6.exe.4a31688.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
0.2.hcy2SdW2z6.exe.4a31688.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
9.2.zZlsXaceOG.exe.44f12f8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.zZlsXaceOG.exe.44f12f8.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.zZlsXaceOG.exe.44f12f8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12c85:$a1: get_encryptedPassword 0x12f71:$a2: get_encryptedUsername 0x12a91:$a3: get_timePasswordChanged 0x12b8c:$a4: get_passwordField 0x12c9b:$a5: set_encryptedPassword 0x142eb:$a7: get_logins 0x1424e:$a10: KeyLoggerEventArgs 0x13eb9:$a11: KeyLoggerEventArgsEventHandler
9.2.zZlsXaceOG.exe.44f12f8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a68e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cf3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad32:$a5: \Kometa\User Data\Default\Login Data
9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.zZlsXaceOG.exe.44f12f8.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13869:$s1: UnHook 0x13870:$s2: SetHook 0x13878:$s3: CallNextHook 0x13885:$s4: _hook
9.2.zZlsXaceOG.exe.44f12f8.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cd8:$x1: $%SMTPDV$ 0x166bc:$x2: $#TheHashHere%& 0x17c80:$x3: %FTPDV$ 0x1665c:$x4: $%TelegramDv$ 0x13eb9:$x5: KeyLoggerEventArgs 0x1424e:$x5: KeyLoggerEventArgs 0x17ca4:$m2: Clipboard Logs ID 0x17ee2:$m2: Screenshot Logs ID 0x17ff2:$m2: keystroke Logs ID 0x182cc:$m3: SnakePW 0x17eba:$m4: \SnakeKeylogger\
9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x352a5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35591:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x350b1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x351ac:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x352bb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x3690b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x3686e:$a10: KeyLoggerEventArgs 0x15cb9:$a11: KeyLoggerEventArgsEventHandler 0x364d9:$a11: KeyLoggerEventArgsEventHandler
9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ccae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bee0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x3c313:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data 0x3d352:$a5: \Kometa\User Data\Default\Login Data
9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x35e89:$s1: UnHook 0x15670:$s2: SetHook 0x35e90:$s2: SetHook 0x15678:$s3: CallNextHook 0x35e98:$s3: CallNextHook 0x15685:$s4: _hook 0x35ea5:$s4: _hook
9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a2f8:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38cdc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a2a0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38c7c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x364d9:$x5: KeyLoggerEventArgs 0x3686e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID 0x3a2c4:$m2: Clipboard Logs ID 0x3a502:$m2: Screenshot Logs ID 0x3a612:$m2: keystroke Logs ID 0x1a0cc:$m3: SnakePW 0x3a8ec:$m3: SnakePW 0x19cba:$m4: \SnakeKeylogger\
0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x354a5:$a1: get_encryptedPassword 0x55cc5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35791:$a2: get_encryptedUsername 0x55fb1:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x352b1:$a3: get_timePasswordChanged 0x55ad1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x353ac:$a4: get_passwordField 0x55bcc:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x354bb:$a5: set_encryptedPassword 0x55cdb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x36b0b:$a7: get_logins 0x5732b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x36a6e:$a10: KeyLoggerEventArgs 0x5728e:$a10: KeyLoggerEventArgs
0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ceae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d6ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c0e0:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c900:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x3c513:$a4: \Orbitum\User Data\Default\Login Data 0x5cd33:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data 0x3d552:$a5: \Kometa\User Data\Default\Login Data 0x5dd72:$a5: \Kometa\User Data\Default\Login Data
0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x36089:$s1: UnHook 0x568a9:$s1: UnHook 0x15670:$s2: SetHook 0x36090:$s2: SetHook 0x568b0:$s2: SetHook 0x15678:$s3: CallNextHook 0x36098:$s3: CallNextHook 0x568b8:$s3: CallNextHook 0x15685:$s4: _hook 0x360a5:$s4: _hook 0x568c5:$s4: _hook
0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a4f8:$x1: $%SMTPDV$ 0x5ad18:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38edc:$x2: $#TheHashHere%& 0x596fc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a4a0:$x3: %FTPDV$ 0x5acc0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38e7c:$x4: $%TelegramDv$ 0x5969c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x366d9:$x5: KeyLoggerEventArgs 0x36a6e:$x5: KeyLoggerEventArgs 0x56ef9:$x5: KeyLoggerEventArgs 0x5728e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID
0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x352a5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35591:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x350b1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x351ac:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x352bb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x3690b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x3686e:$a10: KeyLoggerEventArgs 0x15cb9:$a11: KeyLoggerEventArgsEventHandler 0x364d9:$a11: KeyLoggerEventArgsEventHandler
0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ccae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bee0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x3c313:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data 0x3d352:$a5: \Kometa\User Data\Default\Login Data
0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x35e89:$s1: UnHook 0x15670:$s2: SetHook 0x35e90:$s2: SetHook 0x15678:$s3: CallNextHook 0x35e98:$s3: CallNextHook 0x15685:$s4: _hook 0x35ea5:$s4: _hook
0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a2f8:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38cdc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a2a0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38c7c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x364d9:$x5: KeyLoggerEventArgs 0x3686e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID 0x3a2c4:$m2: Clipboard Logs ID 0x3a502:$m2: Screenshot Logs ID 0x3a612:$m2: keystroke Logs ID 0x1a0cc:$m3: SnakePW 0x3a8ec:$m3: SnakePW 0x19cba:$m4: \SnakeKeylogger\
9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14a85:$a1: get_encryptedPassword 0x354a5:$a1: get_encryptedPassword 0x55cc5:$a1: get_encryptedPassword 0x14d71:$a2: get_encryptedUsername 0x35791:$a2: get_encryptedUsername 0x55fb1:$a2: get_encryptedUsername 0x14891:$a3: get_timePasswordChanged 0x352b1:$a3: get_timePasswordChanged 0x55ad1:$a3: get_timePasswordChanged 0x1498c:$a4: get_passwordField 0x353ac:$a4: get_passwordField 0x55bcc:$a4: get_passwordField 0x14a9b:$a5: set_encryptedPassword 0x354bb:$a5: set_encryptedPassword 0x55cdb:$a5: set_encryptedPassword 0x160eb:$a7: get_logins 0x36b0b:$a7: get_logins 0x5732b:$a7: get_logins 0x1604e:$a10: KeyLoggerEventArgs 0x36a6e:$a10: KeyLoggerEventArgs 0x5728e:$a10: KeyLoggerEventArgs
9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c48e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ceae:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d6ce:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6c0:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c0e0:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c900:$a3: \Google\Chrome\User Data\Default\Login Data 0x1baf3:$a4: \Orbitum\User Data\Default\Login Data 0x3c513:$a4: \Orbitum\User Data\Default\Login Data 0x5cd33:$a4: \Orbitum\User Data\Default\Login Data 0x1cb32:$a5: \Kometa\User Data\Default\Login Data 0x3d552:$a5: \Kometa\User Data\Default\Login Data 0x5dd72:$a5: \Kometa\User Data\Default\Login Data
9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15669:$s1: UnHook 0x36089:$s1: UnHook 0x568a9:$s1: UnHook 0x15670:$s2: SetHook 0x36090:$s2: SetHook 0x568b0:$s2: SetHook 0x15678:$s3: CallNextHook 0x36098:$s3: CallNextHook 0x568b8:$s3: CallNextHook 0x15685:$s4: _hook 0x360a5:$s4: _hook 0x568c5:$s4: _hook
9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19ad8:$x1: $%SMTPDV$ 0x3a4f8:$x1: $%SMTPDV$ 0x5ad18:$x1: $%SMTPDV$ 0x184bc:$x2: $#TheHashHere%& 0x38edc:$x2: $#TheHashHere%& 0x596fc:$x2: $#TheHashHere%& 0x19a80:$x3: %FTPDV$ 0x3a4a0:$x3: %FTPDV$ 0x5acc0:$x3: %FTPDV$ 0x1845c:$x4: $%TelegramDv$ 0x38e7c:$x4: $%TelegramDv$ 0x5969c:$x4: $%TelegramDv$ 0x15cb9:$x5: KeyLoggerEventArgs 0x1604e:$x5: KeyLoggerEventArgs 0x366d9:$x5: KeyLoggerEventArgs 0x36a6e:$x5: KeyLoggerEventArgs 0x56ef9:$x5: KeyLoggerEventArgs 0x5728e:$x5: KeyLoggerEventArgs 0x19aa4:$m2: Clipboard Logs ID 0x19ce2:$m2: Screenshot Logs ID 0x19df2:$m2: keystroke Logs ID
Click to see the 47 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hcy2SdW2z6.exe", ParentImage: C:\Users\user\Desktop\hcy2SdW2z6.exe, ParentProcessId: 7704, ParentProcessName: hcy2SdW2z6.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe", ProcessId: 7812, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe, ParentImage: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe, ParentProcessId: 7440, ParentProcessName: zZlsXaceOG.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp", ProcessId: 4688, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\hcy2SdW2z6.exe", ParentImage: C:\Users\user\Desktop\hcy2SdW2z6.exe, ParentProcessId: 7704, ParentProcessName: hcy2SdW2z6.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp", ProcessId: 7892, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hcy2SdW2z6.exe", ParentImage: C:\Users\user\Desktop\hcy2SdW2z6.exe, ParentProcessId: 7704, ParentProcessName: hcy2SdW2z6.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe", ProcessId: 7812, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8068, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\hcy2SdW2z6.exe", ParentImage: C:\Users\user\Desktop\hcy2SdW2z6.exe, ParentProcessId: 7704, ParentProcessName: hcy2SdW2z6.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp", ProcessId: 7892, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:07:32.805327+0100	2803305	3	Unknown Traffic	192.168.2.4	49717	104.21.96.1	443	TCP
2025-03-11T06:07:35.532292+0100	2803305	3	Unknown Traffic	192.168.2.4	49721	104.21.96.1	443	TCP
2025-03-11T06:07:35.691901+0100	2803305	3	Unknown Traffic	192.168.2.4	49722	104.21.96.1	443	TCP
2025-03-11T06:07:38.643471+0100	2803305	3	Unknown Traffic	192.168.2.4	49726	104.21.96.1	443	TCP
2025-03-11T06:07:38.655170+0100	2803305	3	Unknown Traffic	192.168.2.4	49728	104.21.96.1	443	TCP
2025-03-11T06:07:42.619051+0100	2803305	3	Unknown Traffic	192.168.2.4	49736	104.21.96.1	443	TCP
2025-03-11T06:07:45.435603+0100	2803305	3	Unknown Traffic	192.168.2.4	49740	104.21.96.1	443	TCP
2025-03-11T06:07:51.351386+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:07:27.049790+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49710	193.122.6.168	80	TCP
2025-03-11T06:07:30.858399+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49710	193.122.6.168	80	TCP
2025-03-11T06:07:30.893571+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49715	193.122.6.168	80	TCP
2025-03-11T06:07:33.378022+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49715	193.122.6.168	80	TCP
2025-03-11T06:07:33.534211+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49719	193.122.6.168	80	TCP
2025-03-11T06:07:36.248371+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49724	193.122.6.168	80	TCP
2025-03-11T06:07:36.393587+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49725	193.122.6.168	80	TCP
2025-03-11T06:07:39.393640+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	193.122.6.168	80	TCP
2025-03-11T06:07:42.252973+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hcy2SdW2z6.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.cpdev

Found malware configuration

Source: 0000000D.00000002.3644075067.00000000028C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k/sendMessage?chat_id=5217421430", "Token": "5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k", "Chat_id": "5217421430", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: hcy2SdW2z6.exe	Virustotal: Detection: 65%			Perma Link
Source: hcy2SdW2z6.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	String decryptor:
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	String decryptor: 5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	String decryptor: 5217421430
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	String decryptor:
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	String decryptor: 5227573794:AAECZBnQSxLs0aOVsV2wnclC6-WKnxPpi_k
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack	String decryptor: 5217421430

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: hcy2SdW2z6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49718 version: TLS 1.0

Source: hcy2SdW2z6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 07D7F31Ah	0_2_07D7E98D
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 0125F1F6h	8_2_0125F007
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 0125FB80h	8_2_0125F007
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0125E528
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0125EB5B
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_0125ED3C
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A11A38h	8_2_06A11620
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A102F1h	8_2_06A10040
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A11471h	8_2_06A111C0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1CD49h	8_2_06A1CAA0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1D1A1h	8_2_06A1CEF8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1F8B9h	8_2_06A1F610
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A11A38h	8_2_06A11A13
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1FD11h	8_2_06A1FA68
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1C8F1h	8_2_06A1C648
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1DA51h	8_2_06A1D7A8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1D5F9h	8_2_06A1D350
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A10751h	8_2_06A104A0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1E759h	8_2_06A1E4B0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1B791h	8_2_06A1B4E8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1DEA9h	8_2_06A1DC00
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1E301h	8_2_06A1E058
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1F461h	8_2_06A1F1B8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1C041h	8_2_06A1BD98
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1C499h	8_2_06A1C1F0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A10BB1h	8_2_06A10900
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1EBB1h	8_2_06A1E908
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A11011h	8_2_06A10D60
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1F009h	8_2_06A1ED60
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A11A38h	8_2_06A11966
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A1BBE9h	8_2_06A1B940
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A48945h	8_2_06A48608
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_06A436CE
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A46171h	8_2_06A45EC8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A458C1h	8_2_06A45618
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A45D19h	8_2_06A45A70
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_06A433A8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_06A433B8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A46E79h	8_2_06A46BD0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A465C9h	8_2_06A46320
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A46A21h	8_2_06A46778
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A47751h	8_2_06A474A8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A40741h	8_2_06A40498
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A40B99h	8_2_06A408F0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A402E9h	8_2_06A40040
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A472FAh	8_2_06A47050
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A48459h	8_2_06A481B0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A45441h	8_2_06A45198
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A47BA9h	8_2_06A47900
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A40FF1h	8_2_06A40D48
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 4x nop then jmp 06A48001h	8_2_06A47D58
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 07B4E602h	9_2_07B4DC75
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 00F2F1F6h	13_2_00F2F007
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 00F2FB80h	13_2_00F2F007
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_00F2E528
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EF02F1h	13_2_04EF0040
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EF1471h	13_2_04EF11C0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EF1A38h	13_2_04EF1620
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFB791h	13_2_04EFB4E8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EF0751h	13_2_04EF04A0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFE759h	13_2_04EFE4B0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFE301h	13_2_04EFE058
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFDEA9h	13_2_04EFDC00
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFC499h	13_2_04EFC1F0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFF461h	13_2_04EFF1B8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFC041h	13_2_04EFBD98
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EF1A38h	13_2_04EF1966
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EF1011h	13_2_04EF0D60
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFF009h	13_2_04EFED60
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFBBE9h	13_2_04EFB940
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFEBB1h	13_2_04EFE908
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EF0BB1h	13_2_04EF0900
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFD1A1h	13_2_04EFCEF8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFCD49h	13_2_04EFCAA0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFFD11h	13_2_04EFFA68
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFC8F1h	13_2_04EFC648
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFF8B9h	13_2_04EFF610
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFDA51h	13_2_04EFD7A8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 04EFD5F9h	13_2_04EFD350
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B8945h	13_2_054B8608
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B0FF1h	13_2_054B0D48
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B8001h	13_2_054B7D58
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B7BA9h	13_2_054B7900
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B5441h	13_2_054B5198
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B8459h	13_2_054B81B0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B02E9h	13_2_054B0040
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B72FAh	13_2_054B7050
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B0B99h	13_2_054B08F0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B0741h	13_2_054B0498
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B7751h	13_2_054B74A8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B6A21h	13_2_054B6778
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B65C9h	13_2_054B6320
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B6E79h	13_2_054B6BD0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_054B33A8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	13_2_054B33B8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B5D19h	13_2_054B5A70
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B58C1h	13_2_054B5618
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 4x nop then jmp 054B6171h	13_2_054B5EC8

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49719 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49725 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49710 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49724 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49715 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49722 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49721 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49717 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49728 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49726 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49718 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.000000000298B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D55000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.000000000297F000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.000000000298B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.00000000029CE000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: hcy2SdW2z6.exe, 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000007.00000002.2865477507.0000021188800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1208519044.00000211886C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000007.00000003.1208519044.00000211886C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000007.00000003.1208519044.00000211886C8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000007.00000003.1208519044.00000211886FD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002CA5000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: hcy2SdW2z6.exe, 00000000.00000002.1232948903.00000000030BA000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: zZlsXaceOG.exe, 00000009.00000002.1274865317.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameh
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: zZlsXaceOG.exe, 0000000D.00000002.3650954724.00000000060F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coa
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: hcy2SdW2z6.exe, 00000000.00000002.1239750711.0000000007862000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: svchost.exe, 00000007.00000003.1208519044.0000021188772000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000007.00000003.1208519044.0000021188772000.00000004.00000800.00020000.00000000.sdmp, edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000007.00000003.1208519044.0000021188772000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.000000000298B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.00000000029CE000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: hcy2SdW2z6.exe, 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002C8D000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.000000000298B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D1F000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D2D000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002D48000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A2B000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A1E000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.00000000029CE000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A74000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002A39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 13.2.zZlsXaceOG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 13.2.zZlsXaceOG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.3639199357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: hcy2SdW2z6.exe PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: zZlsXaceOG.exe PID: 504, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

.NET source code contains very large array initializations

Source: hcy2SdW2z6.exe, ListView.cs

Large array initialization: : array initializer size 577436

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C9E590	0_2_07C9E590
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C913B4	0_2_07C913B4
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C9CEB8	0_2_07C9CEB8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C9E580	0_2_07C9E580
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C93038	0_2_07C93038
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C9CE78	0_2_07C9CE78
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D717F0	0_2_07D717F0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D717E0	0_2_07D717E0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D786D0	0_2_07D786D0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D756C8	0_2_07D756C8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D78298	0_2_07D78298
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D7A1B0	0_2_07D7A1B0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D70B78	0_2_07D70B78
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D78B08	0_2_07D78B08
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D71AD0	0_2_07D71AD0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D7AAE0	0_2_07D7AAE0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D71AE0	0_2_07D71AE0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07D71A78	0_2_07D71A78
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_08070940	0_2_08070940
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_08071568	0_2_08071568
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_01256108	8_2_01256108
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125C193	8_2_0125C193
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125F007	8_2_0125F007
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125B328	8_2_0125B328
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125C470	8_2_0125C470
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125C753	8_2_0125C753
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_01259858	8_2_01259858
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_01256880	8_2_01256880
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125BBD3	8_2_0125BBD3
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125CA33	8_2_0125CA33
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_01254AD9	8_2_01254AD9
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125BEB0	8_2_0125BEB0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125E528	8_2_0125E528
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125E517	8_2_0125E517
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_01253573	8_2_01253573
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_0125B4F3	8_2_0125B4F3
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A18460	8_2_06A18460
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A13870	8_2_06A13870
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A10040	8_2_06A10040
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A17D90	8_2_06A17D90
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A111C0	8_2_06A111C0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1CAA0	8_2_06A1CAA0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1CA9E	8_2_06A1CA9E
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1CEEF	8_2_06A1CEEF
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1CEF8	8_2_06A1CEF8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1C638	8_2_06A1C638
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1F600	8_2_06A1F600
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1F610	8_2_06A1F610
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1FA68	8_2_06A1FA68
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1C648	8_2_06A1C648
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1FA59	8_2_06A1FA59
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1D7A8	8_2_06A1D7A8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1D798	8_2_06A1D798
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A173E8	8_2_06A173E8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1DBF1	8_2_06A1DBF1
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1D340	8_2_06A1D340
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1D350	8_2_06A1D350
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A104A0	8_2_06A104A0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1E4A0	8_2_06A1E4A0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1E4B0	8_2_06A1E4B0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A10490	8_2_06A10490
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1B4E8	8_2_06A1B4E8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A108F0	8_2_06A108F0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1E8F8	8_2_06A1E8F8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1B4D7	8_2_06A1B4D7
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1DC00	8_2_06A1DC00
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A10006	8_2_06A10006
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A13860	8_2_06A13860
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1E04B	8_2_06A1E04B
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1E058	8_2_06A1E058
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1F1A9	8_2_06A1F1A9
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A111B0	8_2_06A111B0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1F1B8	8_2_06A1F1B8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1BD88	8_2_06A1BD88
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1BD98	8_2_06A1BD98
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1C1E0	8_2_06A1C1E0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1C1F0	8_2_06A1C1F0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1B930	8_2_06A1B930
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A10900	8_2_06A10900
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1E908	8_2_06A1E908
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A10D60	8_2_06A10D60
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1ED60	8_2_06A1ED60
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1B940	8_2_06A1B940
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A10D51	8_2_06A10D51
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1ED50	8_2_06A1ED50
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4B6E8	8_2_06A4B6E8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A48608	8_2_06A48608
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4D670	8_2_06A4D670
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4AA58	8_2_06A4AA58
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4C388	8_2_06A4C388
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A48BF3	8_2_06A48BF3
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4B0A0	8_2_06A4B0A0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4D028	8_2_06A4D028
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4A408	8_2_06A4A408
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A411A0	8_2_06A411A0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4C9D8	8_2_06A4C9D8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4BD38	8_2_06A4BD38
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A45EB8	8_2_06A45EB8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A45EC8	8_2_06A45EC8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4B6D9	8_2_06A4B6D9
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4560B	8_2_06A4560B
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A45618	8_2_06A45618
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A45A60	8_2_06A45A60
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4D661	8_2_06A4D661
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A45A70	8_2_06A45A70
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4AA48	8_2_06A4AA48
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A433A8	8_2_06A433A8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A433B8	8_2_06A433B8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4A3F8	8_2_06A4A3F8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A46BC1	8_2_06A46BC1
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A46BD0	8_2_06A46BD0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A46320	8_2_06A46320
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A43730	8_2_06A43730
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A46313	8_2_06A46313
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4676B	8_2_06A4676B
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A46778	8_2_06A46778
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4C378	8_2_06A4C378
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A474A8	8_2_06A474A8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4B08F	8_2_06A4B08F
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A40488	8_2_06A40488
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A47497	8_2_06A47497
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A40498	8_2_06A40498
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A408E0	8_2_06A408E0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A478F0	8_2_06A478F0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A408F0	8_2_06A408F0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A44430	8_2_06A44430
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A40007	8_2_06A40007
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A42807	8_2_06A42807
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A42818	8_2_06A42818
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4D018	8_2_06A4D018
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A40040	8_2_06A40040
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A47040	8_2_06A47040
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A47050	8_2_06A47050
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A481A0	8_2_06A481A0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A481B0	8_2_06A481B0
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4518B	8_2_06A4518B
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A41191	8_2_06A41191
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A45198	8_2_06A45198
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A485FB	8_2_06A485FB
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4C9C8	8_2_06A4C9C8
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A4BD28	8_2_06A4BD28
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A40D39	8_2_06A40D39
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A47900	8_2_06A47900
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A40D48	8_2_06A40D48
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A47D48	8_2_06A47D48
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A47D58	8_2_06A47D58
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_050C4448	9_2_050C4448
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_050C4458	9_2_050C4458
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_050C24E4	9_2_050C24E4
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_0570E590	9_2_0570E590
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_0570CEB8	9_2_0570CEB8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_0570E580	9_2_0570E580
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_0570CE78	9_2_0570CE78
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_05703038	9_2_05703038
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_057013B4	9_2_057013B4
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_057013A5	9_2_057013A5
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B4FA2A	9_2_07B4FA2A
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B417F0	9_2_07B417F0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B417E0	9_2_07B417E0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B486D0	9_2_07B486D0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B456C8	9_2_07B456C8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B48298	9_2_07B48298
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B4A1B0	9_2_07B4A1B0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B48B08	9_2_07B48B08
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B40B78	9_2_07B40B78
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B4AAE0	9_2_07B4AAE0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B41AE0	9_2_07B41AE0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B41AD0	9_2_07B41AD0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_07B41A78	9_2_07B41A78
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2F007	13_2_00F2F007
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F26108	13_2_00F26108
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2B328	13_2_00F2B328
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2C470	13_2_00F2C470
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F297E8	13_2_00F297E8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2C751	13_2_00F2C751
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F26880	13_2_00F26880
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F24AD9	13_2_00F24AD9
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2CA31	13_2_00F2CA31
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2BBD3	13_2_00F2BBD3
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2BEB0	13_2_00F2BEB0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2B4F3	13_2_00F2B4F3
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F23570	13_2_00F23570
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2E528	13_2_00F2E528
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_00F2E517	13_2_00F2E517
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF8460	13_2_04EF8460
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF3870	13_2_04EF3870
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF0040	13_2_04EF0040
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF11C0	13_2_04EF11C0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF7D90	13_2_04EF7D90
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFB4E8	13_2_04EFB4E8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFE8F8	13_2_04EFE8F8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF08F0	13_2_04EF08F0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFB4D7	13_2_04EFB4D7
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF04A0	13_2_04EF04A0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFE4A0	13_2_04EFE4A0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFE4B0	13_2_04EFE4B0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF0490	13_2_04EF0490
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF3860	13_2_04EF3860
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFE049	13_2_04EFE049
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFE058	13_2_04EFE058
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFDC00	13_2_04EFDC00
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF001E	13_2_04EF001E
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF0014	13_2_04EF0014
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFC1E0	13_2_04EFC1E0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFC1F0	13_2_04EFC1F0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFF1A9	13_2_04EFF1A9
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFF1B8	13_2_04EFF1B8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF11B0	13_2_04EF11B0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFBD88	13_2_04EFBD88
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFBD98	13_2_04EFBD98
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF0D60	13_2_04EF0D60
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFED60	13_2_04EFED60
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFB940	13_2_04EFB940
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF0D51	13_2_04EF0D51
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFED50	13_2_04EFED50
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFB930	13_2_04EFB930
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFE908	13_2_04EFE908
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF0900	13_2_04EF0900
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFCEEA	13_2_04EFCEEA
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFCEF8	13_2_04EFCEF8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFCAA0	13_2_04EFCAA0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFFA68	13_2_04EFFA68
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFC648	13_2_04EFC648
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFFA59	13_2_04EFFA59
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFC638	13_2_04EFC638
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFF600	13_2_04EFF600
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFF610	13_2_04EFF610
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF73E8	13_2_04EF73E8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFDBF1	13_2_04EFDBF1
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFD7A8	13_2_04EFD7A8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFD798	13_2_04EFD798
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFD340	13_2_04EFD340
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EFD350	13_2_04EFD350
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BBD38	13_2_054BBD38
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BC9D8	13_2_054BC9D8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B8C51	13_2_054B8C51
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BA408	13_2_054BA408
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BD028	13_2_054BD028
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BB0A0	13_2_054BB0A0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BC388	13_2_054BC388
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BAA58	13_2_054BAA58
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BD670	13_2_054BD670
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B8608	13_2_054B8608
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BB6E8	13_2_054BB6E8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B0D48	13_2_054B0D48
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B7D48	13_2_054B7D48
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B7D58	13_2_054B7D58
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B7900	13_2_054B7900
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BBD28	13_2_054BBD28
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B0D39	13_2_054B0D39
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BC9C8	13_2_054BC9C8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B85FC	13_2_054B85FC
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B518A	13_2_054B518A
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B5198	13_2_054B5198
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B1191	13_2_054B1191
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B11A0	13_2_054B11A0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B81A0	13_2_054B81A0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B81B0	13_2_054B81B0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B0040	13_2_054B0040
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B7040	13_2_054B7040
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B7050	13_2_054B7050
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B2809	13_2_054B2809
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B2807	13_2_054B2807
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B0006	13_2_054B0006
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BD018	13_2_054BD018
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B4430	13_2_054B4430
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B08E0	13_2_054B08E0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B78F0	13_2_054B78F0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B08F0	13_2_054B08F0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B0488	13_2_054B0488
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B0498	13_2_054B0498
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BB090	13_2_054BB090
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B7497	13_2_054B7497
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B74A8	13_2_054B74A8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B28B0	13_2_054B28B0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B6778	13_2_054B6778
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BC378	13_2_054BC378
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B6312	13_2_054B6312
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B6320	13_2_054B6320
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B3730	13_2_054B3730
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B6BC1	13_2_054B6BC1
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B6BD0	13_2_054B6BD0
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BA3F8	13_2_054BA3F8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B33A8	13_2_054B33A8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B33B8	13_2_054B33B8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BAA48	13_2_054BAA48
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BD662	13_2_054BD662
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B5A60	13_2_054B5A60
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B5A70	13_2_054B5A70
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B560A	13_2_054B560A
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B5618	13_2_054B5618
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B5EC8	13_2_054B5EC8
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054BB6D9	13_2_054BB6D9
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_054B5EB8	13_2_054B5EB8

Source: hcy2SdW2z6.exe, 00000000.00000002.1231896459.0000000001430000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000002.1231393034.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000002.1236876601.000000000475F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000002.1240323842.0000000007C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000002.1239392482.000000000626D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEY2 vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000002.1236876601.0000000003F49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000000.1174114844.0000000000AB6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehSyL.exeB vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000000.00000002.1232948903.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe, 00000008.00000002.3639838847.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs hcy2SdW2z6.exe
Source: hcy2SdW2z6.exe	Binary or memory string: OriginalFilenamehSyL.exeB vs hcy2SdW2z6.exe

Source: hcy2SdW2z6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 13.2.zZlsXaceOG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.zZlsXaceOG.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.3639199357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: hcy2SdW2z6.exe PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: zZlsXaceOG.exe PID: 504, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: hcy2SdW2z6.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: zZlsXaceOG.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, -----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, -KU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, yOM0bRb7wDu62SICtB.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, yOM0bRb7wDu62SICtB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, Na63LTehrWkdCYtgr5.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, Na63LTehrWkdCYtgr5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, Na63LTehrWkdCYtgr5.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/20@2/3

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

File created: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZOxEkLdpBDrfwkD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDE83.tmp

Jump to behavior

Source: hcy2SdW2z6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hcy2SdW2z6.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002E20000.00000004.00000800.00020000.00000000.sdmp, hcy2SdW2z6.exe, 00000008.00000002.3644481905.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, zZlsXaceOG.exe, 0000000D.00000002.3644075067.0000000002B00000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: hcy2SdW2z6.exe	Virustotal: Detection: 65%
Source: hcy2SdW2z6.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

File read: C:\Users\user\Desktop\hcy2SdW2z6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hcy2SdW2z6.exe "C:\Users\user\Desktop\hcy2SdW2z6.exe"
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Users\user\Desktop\hcy2SdW2z6.exe "C:\Users\user\Desktop\hcy2SdW2z6.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe C:\Users\user\AppData\Roaming\zZlsXaceOG.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process created: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Users\user\Desktop\hcy2SdW2z6.exe "C:\Users\user\Desktop\hcy2SdW2z6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp"
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process created: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: hcy2SdW2z6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hcy2SdW2z6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.hcy2SdW2z6.exe.7c40000.6.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, Na63LTehrWkdCYtgr5.cs	.Net Code: vSu9cH6fGwWxvAJQsoH System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C98DF9 pushad ; retf	0_2_07C9901D
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C92BA0 pushfd ; retf	0_2_07C92BA1
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 0_2_07C91AF8 push esp; ret	0_2_07C91AF9
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A12E78 push esp; iretd	8_2_06A12E79
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A16F8B push es; ret	8_2_06A16FE4
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A16F13 push es; ret	8_2_06A16FE4
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A12840 push esp; retf	8_2_06A12AC9
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Code function: 8_2_06A1705B push es; iretd	8_2_06A1705C
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_05708E08 pushad ; retf	9_2_0570901D
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_05702BA0 pushfd ; retf	9_2_05702BA1
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 9_2_05701AF8 push esp; ret	9_2_05701AF9
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Code function: 13_2_04EF2E78 push esp; iretd	13_2_04EF2E79

Source: hcy2SdW2z6.exe	Static PE information: section name: .text entropy: 7.550509177696014
Source: zZlsXaceOG.exe.0.dr	Static PE information: section name: .text entropy: 7.550509177696014

Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, DtvJEGtDCEqJNsbGAV.cs	High entropy of concatenated method names: 'AOIkb6sYjE', 'UpikfEFQrd', 'BhdkO9PweH', 'eQ2ksvEWZF', 'e86kQJSPqT', 'LHqkgVZfQI', 'upZkFqQRJu', 'PuYkwPjLpQ', 'V3IkygaKrf', 'MyJkJ3Vsou'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, Na63LTehrWkdCYtgr5.cs	High entropy of concatenated method names: 'x4EWBnrhu5', 'n37WAj9y4B', 'zrTWd90bkk', 'AslWKjgadP', 'S0eWiETHh2', 'kXKWGF3xQQ', 'LipWVnm1wg', 'zMlWeQJ1UB', 'r2uWStehJ1', 'exxWXXivlb'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, E2Q8vrKvjyfdYqH0wJ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ehcvl0JNr8', 'Qf5v12NDeC', 'eTAvzyUPPG', 'TSRWcruWZI', 'zdXWjjDlm0', 'nq5WvHRP3B', 'NphWWykc9J', 'Ho4Jy169enlSTKxUKYc'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, yOM0bRb7wDu62SICtB.cs	High entropy of concatenated method names: 'PtPdH9pQG9', 'Wrid58bElI', 'IsadYK0xIL', 'vU5dUaN6qO', 'FfMd4td8wi', 'DV3dNk0TtG', 't53dpK1GCS', 'bEddriPJlh', 'YupdlCPyNA', 'Xacd1sNICm'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, QbZ206lF5HGx3YU8j0.cs	High entropy of concatenated method names: 't1F8OBbIYL', 'Emw8s76Hns', 'Sgg8TDy1Pl', 'svy8QOdV3w', 'hic8gWU3VL', 'zlY8afh820', 'h6h8FlvKkY', 'Erg8wpqW3r', 'cL98ZfHxrp', 'rJU8yIqBSh'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, dNS7VLaV4vOLsSxCyY.cs	High entropy of concatenated method names: 'QLoGYMwedH', 'cwvGUAe0ii', 'EuGG4FIeht', 'ToString', 'YZrGNTwJEO', 'LyVGp6DjW2', 'SmHaIyqN5xapoqwP2DF', 'XFNog0qOMk8NPhoafX8', 'OADUZgqutlYuj0h3dD7'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, AofUnnNu99MrCWjtvl.cs	High entropy of concatenated method names: 'VfL9rMpwBm', 'nKV91yOFh7', 'oUkRcuydsW', 'kdqRjJqTe5', 'NYm9JBjJLx', 'MHQ9Cmgc1i', 's1J9tJhpy7', 'oCm9HMHV6V', 'U6E95wr6Uk', 'qAw9YF0eGL'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, GJcAYXY717upsp7s9K.cs	High entropy of concatenated method names: 'ToString', 'cuU7JM1vfB', 'w6R7sA9Xim', 'vLq7Tjq5xT', 'kQY7Qpwt48', 'Pum7gklADt', 'n857axajqA', 'cBd7FrBkcb', 'tDF7w2vL1d', 'C0Z7ZpvGbO'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, StWk4SjjQ3metO1CHxL.cs	High entropy of concatenated method names: 'otih1rSMe0', 'YfkhziRhFo', 'sddEcktL4q', 'nKwEjXUFGN', 'AyDEv68xPV', 'r8SEWE1rkd', 'O1yE6ipFyd', 'zIyEBlLEgx', 'eIdEAd4ZDA', 'Ai1EdbJFXQ'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, EYIgc1fnY0Mlv9844J.cs	High entropy of concatenated method names: 'n80K3a9euN', 'ycPKmBGvau', 'TW3KbkqllK', 'xKoKfOkIkV', 'iqLKxiB0ho', 'qotK7VXVNA', 'BuVK91KG9u', 'PirKR3bMYP', 'AFkK8iP3Sx', 'AuZKhJ0FhB'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, BhRDxR1Ad0eqlMtskb.cs	High entropy of concatenated method names: 'M0whKp73yE', 'zMRhiy9XcO', 'wxGhGlUiYM', 'jRQhVaunkV', 'llVh8o5N5C', 'QvyheVxQ32', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, fYGUFPFRo1KUbruArD.cs	High entropy of concatenated method names: 'M8CVA8fdD0', 'C5SVKCMD1L', 'Tj8VGFGu6I', 'AZNG1OVvmq', 'mUqGzW0HGW', 'UuQVc61bC6', 'RSCVjcdKhF', 'B8WVvnXkHN', 'LklVWhWAbN', 'TgwV6AJp8b'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, gW1pxddDey09baIHSW.cs	High entropy of concatenated method names: 'Dispose', 'eAJjlSplgE', 'A7lvs9yMpl', 'rGbwGjQVHs', 'zGnj1t6TKE', 'CW2jzg0l9U', 'ProcessDialogKey', 'iYHvcbZ206', 'K5HvjGx3YU', 'sj0vvmhRDx'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, AFeIdI6LZTOhlVe84i.cs	High entropy of concatenated method names: 'KnMjVOM0bR', 'pwDjeu62SI', 'YnYjX0Mlv9', 's44jDJ2taK', 'ScfjxiWZt3', 'jbRj7v8E1M', 'oN0xqhdEtMkfoWArHW', 'wJoMbBFZ9T0hUUJ9uG', 'phSjjRycXo', 'MJcjWbsoiv'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, Mt3VbROv8E1MeJd1rh.cs	High entropy of concatenated method names: 'e9YGBPd4uY', 'IkrGdLUe1h', 'ERXGiTQFev', 'D9cGVbWN5n', 'L9QGeUOFr5', 'J6Fi4lBkTo', 'xfYiNpDkHt', 'n1oipG52d5', 'Kw9irtgmBp', 'TVDilP9uGF'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, QrRv9BvCEsQxeQSeFN.cs	High entropy of concatenated method names: 'rwxovqg73', 'gae3WY8va', 'Huymd49B3', 'GvxqW5Pk5', 'h2tfGR3uJ', 'IJ3PVn5Cl', 'NF21ovkfKpIYR3fuKn', 'd6gmRUNcTdRGEfjIKH', 'AiLRj6yQM', 'cxWhMl0H1'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, XiNn2Ljc6AoXOHANckF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J2lhJNbb3m', 'ATYhC1WRhR', 'ud9htlJYoD', 'BiIhHTxWmt', 'NC3h5fFpr2', 'FGchYa0bI2', 'lOKhUU8Q5b'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, Xx74Xhj66hHmPyHIijR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ai8I8QJd2N', 'fbsIh7qSuL', 'l8hIE3loia', 'yDGIIJEuxK', 'itBILIK4ke', 'LHbIn2s8rR', 'fxiIup4CfD'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, brh9Ujpc06AJSplgEo.cs	High entropy of concatenated method names: 'NoO8xPUZf1', 'q7089edIus', 'VNX88X7IEb', 'W1h8ERCMDL', 'pYF8L7WwFa', 'dFC8uG6IiK', 'Dispose', 'bPFRA8OZUV', 'fyGRdKCLOo', 'Nr9RKBqaGF'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, AI7sUBjBoY3LmNFTxde.cs	High entropy of concatenated method names: 'NLCuK3wwh7E8i', 'caEY2FL6PvEq08JslFo', 'CLekG9Lq8dYNqOueHKG', 'frF9vsyzDFidAJUClHX', 'L0EnMbL9rA0jPm42C5P', 'xSM7AhLSUF5NMv0kIag'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, wTwkVUZLO4mIcrHJyq.cs	High entropy of concatenated method names: 'o5RV2RIIVX', 'yumVMRCcrR', 'Iq4VoxgSFL', 'VnCV3PoJla', 'MaVV00eOBd', 'MOLVmUZZWU', 'Nj7VqO13VO', 'Y2GVbjEomM', 'XjpVfKLHBj', 'D5lVPqK2Yu'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, GHFeyxz7mqsCJvdZTI.cs	High entropy of concatenated method names: 'EEkhmUt6DB', 'k2UhbpAXh1', 'xBXhf43vWr', 'jD7hOwvpTZ', 'rsxhstJQXr', 'Th8hQM5OXf', 'Xdthg259p0', 'lfqhuWp9qL', 'p4qh2YcdaT', 'VBmhMLBUyA'
Source: 0.2.hcy2SdW2z6.exe.49046a8.4.raw.unpack, ytaKslPPxIEyiYcfiW.cs	High entropy of concatenated method names: 'atHi0UotOQ', 'QHMiquXxSV', 'PO5KTMrocl', 'Uh9KQMPgN6', 'c7CKgWqSul', 'tt6Ka8nyIs', 'jp1KFGrlyD', 'qS9KwCfjN9', 'dCdKZBSnXR', 'BJHKyS6Fll'

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

File created: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: 1430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: 9710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: A710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: A930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: B930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: BF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: CF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: DF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: 1250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: 1030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: 2A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: 9070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: A070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: A280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: B280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: B940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: C940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: 28C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory allocated: F50000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599198	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597318	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597120	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594975	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594402	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599820
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599702
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599593
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599484
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599375
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599266
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599155
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597117
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596654
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596438
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596313
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595732
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595516
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595180
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594281
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594170
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594063

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7300	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1638	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6913	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1012	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Window / User API: threadDelayed 3797	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Window / User API: threadDelayed 6038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Window / User API: threadDelayed 3092
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Window / User API: threadDelayed 6746

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep count: 7300 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7960	Thread sleep count: 1638 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8156	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2940	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7592	Thread sleep count: 3797 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7592	Thread sleep count: 6038 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599198s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597318s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597120s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594975s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe TID: 7560	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7868	Thread sleep count: 3092 > 30
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599820s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7868	Thread sleep count: 6746 > 30
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599702s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599593s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599484s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599375s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599266s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599155s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598688s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598344s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -597117s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596891s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596766s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596654s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596438s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596313s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596188s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595969s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595844s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595732s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595516s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595297s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595180s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -595063s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594844s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594391s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594281s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594170s >= -30000s
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe TID: 7872	Thread sleep time: -594063s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599198	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597318	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597120	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596438	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594975	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594402	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599820
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599702
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599593
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599484
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599375
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599266
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599155
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598344
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597117
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596654
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596438
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596313
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596188
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595732
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595516
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595180
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594844
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594281
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594170
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Thread delayed: delay time: 594063

Source: svchost.exe, 00000007.00000002.2863398142.000002118322B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2865561936.0000021188858000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: zZlsXaceOG.exe, 0000000D.00000002.3639915641.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: hcy2SdW2z6.exe, 00000008.00000002.3640392209.0000000000F66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssz

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Code function: 8_2_06A17D90 LdrInitializeThunk,

8_2_06A17D90

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe"
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Memory written: C:\Users\user\Desktop\hcy2SdW2z6.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Memory written: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hcy2SdW2z6.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpDE83.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Process created: C:\Users\user\Desktop\hcy2SdW2z6.exe "C:\Users\user\Desktop\hcy2SdW2z6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zZlsXaceOG" /XML "C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp"
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Process created: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe "C:\Users\user\AppData\Roaming\zZlsXaceOG.exe"

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Users\user\Desktop\hcy2SdW2z6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Users\user\Desktop\hcy2SdW2z6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Design.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.zZlsXaceOG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3644481905.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3644075067.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3644075067.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3644481905.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hcy2SdW2z6.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zZlsXaceOG.exe PID: 504, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\hcy2SdW2z6.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\zZlsXaceOG.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.zZlsXaceOG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hcy2SdW2z6.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zZlsXaceOG.exe PID: 504, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.zZlsXaceOG.exe.4511d18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.zZlsXaceOG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a10c68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a31688.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.44f12f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.4511d18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a10c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hcy2SdW2z6.exe.4a31688.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.zZlsXaceOG.exe.44f12f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3639123759.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1277566601.00000000044F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3644481905.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1236876601.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3644075067.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3644075067.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3644481905.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hcy2SdW2z6.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hcy2SdW2z6.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zZlsXaceOG.exe PID: 7440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zZlsXaceOG.exe PID: 504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	11 Masquerading	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hcy2SdW2z6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
hcy2SdW2z6.exe