Edit tour

Windows Analysis Report
category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Overview

General Information

Sample name:	category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe renamed because original name is a hash value
Original sample name:	category05 sc110-11_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Analysis ID:	1636902
MD5:	2b1b16363ddcf9686ce1c9cc781038e9
SHA1:	d2bd4f0ea1e8164084cdac78673a4f4f4fceb3bf
SHA256:	7a1af0954cd7db05725aaa1b43ae149bc9f7bb610305b216744f3863e5247663
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates processes with suspicious names

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe (PID: 6476 cmdline: "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe" MD5: 2B1B16363DDCF9686CE1C9CC781038E9)

powershell.exe (PID: 6772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe" MD5: 2B1B16363DDCF9686CE1C9CC781038E9)

WerFault.exe (PID: 5240 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 1516 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 6016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat id": "-4724020147"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat_id": "-4724020147", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2db83:$a1: get_encryptedPassword 0x2dea4:$a2: get_encryptedUsername 0x2d993:$a3: get_timePasswordChanged 0x2da9c:$a4: get_passwordField 0x2db99:$a5: set_encryptedPassword 0x2f26b:$a7: get_logins 0x2f1ce:$a10: KeyLoggerEventArgs 0x2ee33:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e5cb:$a1: get_encryptedPassword 0x71beb:$a1: get_encryptedPassword 0xb500b:$a1: get_encryptedPassword 0x2e8ec:$a2: get_encryptedUsername 0x71f0c:$a2: get_encryptedUsername 0xb532c:$a2: get_encryptedUsername 0x2e3db:$a3: get_timePasswordChanged 0x719fb:$a3: get_timePasswordChanged 0xb4e1b:$a3: get_timePasswordChanged 0x2e4e4:$a4: get_passwordField 0x71b04:$a4: get_passwordField 0xb4f24:$a4: get_passwordField 0x2e5e1:$a5: set_encryptedPassword 0x71c01:$a5: set_encryptedPassword 0xb5021:$a5: set_encryptedPassword 0x2fcb3:$a7: get_logins 0x732d3:$a7: get_logins 0xb66f3:$a7: get_logins 0x2fc16:$a10: KeyLoggerEventArgs 0x73236:$a10: KeyLoggerEventArgs 0xb6656:$a10: KeyLoggerEventArgs
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6b375:$a1: get_encryptedPassword 0x6b68c:$a2: get_encryptedUsername 0x6b18f:$a3: get_timePasswordChanged 0x6b298:$a4: get_passwordField 0x6b38b:$a5: set_encryptedPassword 0x6d860:$a7: get_logins 0x6d7c3:$a10: KeyLoggerEventArgs 0x6d42c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x61ee:$a1: get_encryptedPassword 0x6505:$a2: get_encryptedUsername 0x6008:$a3: get_timePasswordChanged 0x6111:$a4: get_passwordField 0x6204:$a5: set_encryptedPassword 0x86d9:$a7: get_logins 0x863c:$a10: KeyLoggerEventArgs 0x82a5:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bf83:$a1: get_encryptedPassword 0x2c2a4:$a2: get_encryptedUsername 0x2bd93:$a3: get_timePasswordChanged 0x2be9c:$a4: get_passwordField 0x2bf99:$a5: set_encryptedPassword 0x2d66b:$a7: get_logins 0x2d5ce:$a10: KeyLoggerEventArgs 0x2d233:$a11: KeyLoggerEventArgsEventHandler
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39df3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39496:$a3: \Google\Chrome\User Data\Default\Login Data 0x396f3:$a4: \Orbitum\User Data\Default\Login Data 0x3a0d2:$a5: \Kometa\User Data\Default\Login Data
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cbb7:$s1: UnHook 0x2cbbe:$s2: SetHook 0x2cbc6:$s3: CallNextHook 0x2cbd3:$s4: _hook
2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd83:$a1: get_encryptedPassword 0x2e0a4:$a2: get_encryptedUsername 0x2db93:$a3: get_timePasswordChanged 0x2dc9c:$a4: get_passwordField 0x2dd99:$a5: set_encryptedPassword 0x2f46b:$a7: get_logins 0x2f3ce:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler
2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b296:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b4f3:$a4: \Orbitum\User Data\Default\Login Data 0x3bed2:$a5: \Kometa\User Data\Default\Login Data
2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e9b7:$s1: UnHook 0x2e9be:$s2: SetHook 0x2e9c6:$s3: CallNextHook 0x2e9d3:$s4: _hook
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bf83:$a1: get_encryptedPassword 0x2c2a4:$a2: get_encryptedUsername 0x2bd93:$a3: get_timePasswordChanged 0x2be9c:$a4: get_passwordField 0x2bf99:$a5: set_encryptedPassword 0x2d66b:$a7: get_logins 0x2d5ce:$a10: KeyLoggerEventArgs 0x2d233:$a11: KeyLoggerEventArgsEventHandler
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39df3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39496:$a3: \Google\Chrome\User Data\Default\Login Data 0x396f3:$a4: \Orbitum\User Data\Default\Login Data 0x3a0d2:$a5: \Kometa\User Data\Default\Login Data
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2cbb7:$s1: UnHook 0x2cbbe:$s2: SetHook 0x2cbc6:$s3: CallNextHook 0x2cbd3:$s4: _hook
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd83:$a1: get_encryptedPassword 0x711a3:$a1: get_encryptedPassword 0x2e0a4:$a2: get_encryptedUsername 0x714c4:$a2: get_encryptedUsername 0x2db93:$a3: get_timePasswordChanged 0x70fb3:$a3: get_timePasswordChanged 0x2dc9c:$a4: get_passwordField 0x710bc:$a4: get_passwordField 0x2dd99:$a5: set_encryptedPassword 0x711b9:$a5: set_encryptedPassword 0x2f46b:$a7: get_logins 0x7288b:$a7: get_logins 0x2f3ce:$a10: KeyLoggerEventArgs 0x727ee:$a10: KeyLoggerEventArgs 0x2f033:$a11: KeyLoggerEventArgsEventHandler 0x72453:$a11: KeyLoggerEventArgsEventHandler
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f013:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b296:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e6b6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b4f3:$a4: \Orbitum\User Data\Default\Login Data 0x7e913:$a4: \Orbitum\User Data\Default\Login Data 0x3bed2:$a5: \Kometa\User Data\Default\Login Data 0x7f2f2:$a5: \Kometa\User Data\Default\Login Data
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e9b7:$s1: UnHook 0x71dd7:$s1: UnHook 0x2e9be:$s2: SetHook 0x71dde:$s2: SetHook 0x2e9c6:$s3: CallNextHook 0x71de6:$s3: CallNextHook 0x2e9d3:$s4: _hook 0x71df3:$s4: _hook
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dd83:$a1: get_encryptedPassword 0x713a3:$a1: get_encryptedPassword 0xb47c3:$a1: get_encryptedPassword 0x2e0a4:$a2: get_encryptedUsername 0x716c4:$a2: get_encryptedUsername 0xb4ae4:$a2: get_encryptedUsername 0x2db93:$a3: get_timePasswordChanged 0x711b3:$a3: get_timePasswordChanged 0xb45d3:$a3: get_timePasswordChanged 0x2dc9c:$a4: get_passwordField 0x712bc:$a4: get_passwordField 0xb46dc:$a4: get_passwordField 0x2dd99:$a5: set_encryptedPassword 0x713b9:$a5: set_encryptedPassword 0xb47d9:$a5: set_encryptedPassword 0x2f46b:$a7: get_logins 0x72a8b:$a7: get_logins 0xb5eab:$a7: get_logins 0x2f3ce:$a10: KeyLoggerEventArgs 0x729ee:$a10: KeyLoggerEventArgs 0xb5e0e:$a10: KeyLoggerEventArgs
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3bbf3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f213:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc2633:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b296:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e8b6:$a3: \Google\Chrome\User Data\Default\Login Data 0xc1cd6:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b4f3:$a4: \Orbitum\User Data\Default\Login Data 0x7eb13:$a4: \Orbitum\User Data\Default\Login Data 0xc1f33:$a4: \Orbitum\User Data\Default\Login Data 0x3bed2:$a5: \Kometa\User Data\Default\Login Data 0x7f4f2:$a5: \Kometa\User Data\Default\Login Data 0xc2912:$a5: \Kometa\User Data\Default\Login Data
0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e9b7:$s1: UnHook 0x71fd7:$s1: UnHook 0xb53f7:$s1: UnHook 0x2e9be:$s2: SetHook 0x71fde:$s2: SetHook 0xb53fe:$s2: SetHook 0x2e9c6:$s3: CallNextHook 0x71fe6:$s3: CallNextHook 0xb5406:$s3: CallNextHook 0x2e9d3:$s4: _hook 0x71ff3:$s4: _hook 0xb5413:$s4: _hook
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ParentImage: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ParentProcessId: 6476, ParentProcessName: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ProcessId: 6772, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ParentImage: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ParentProcessId: 6476, ParentProcessName: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe", ProcessId: 6772, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6016, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat id": "-4724020147"}
Source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4", "Chat_id": "-4724020147", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	ReversingLabs: Detection: 34%
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Virustotal: Detection: 30%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	String decryptor: 7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	String decryptor: -4724020147
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	String decryptor:
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	String decryptor: 7772411030:AAHExC6psygkhMTNAOoX6_LedLTg2d-pLt4
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	String decryptor: -4724020147
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack	String decryptor:

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\Desktop\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ggAT.pdbs\ggAT.pdbpdbgAT.pdbpdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER893C.tmp.dmp.6.dr
Source:	Binary string: ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source:	Binary string: ggAT.pdbSHA256 source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source:	Binary string: System.Configuration.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdbd source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\ggAT.pdbpdbgAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\ggAT.pdb-w source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zsymbols\exe\ggAT.pdbmo source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER893C.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbO source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zHPaoHC:\Users\user\Desktop\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?moC:\Users\user\Desktop\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @mo.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HPao(C:\Windows\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\ggAT.pdbn source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.PDBz source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ggAT.pdbEw% source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbMw source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER893C.tmp.dmp.6.dr

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Code function: 4x nop then jmp 07C2880Dh

0_2_07C28DBA

Source: global traffic

TCP traffic: 192.168.2.7:62318 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

Source: unknown

DNS query: name: checkip.dyndns.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.0000000002996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.0000000002996000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000009.00000002.2106417469.0000022C61C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.856756542.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000009.00000003.1203065246.0000022C61BA0000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: qmgr.db.9.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_016C3E28	0_2_016C3E28
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_016CE164	0_2_016CE164
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_016C6F98	0_2_016C6F98
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_07C245F0	0_2_07C245F0
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_07C241A8	0_2_07C241A8
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_07C241B8	0_2_07C241B8
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_07C261B8	0_2_07C261B8
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_07C23D80	0_2_07C23D80
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_07C25D80	0_2_07C25D80
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080B7C20	0_2_080B7C20
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080BA720	0_2_080BA720
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080B9AC0	0_2_080B9AC0
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080B8257	0_2_080B8257
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080B7660	0_2_080B7660
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080B7670	0_2_080B7670
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 2_2_00E23AA1	2_2_00E23AA1
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 2_2_00E23E09	2_2_00E23E09

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 1516

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.855252658.000000000186E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.872420583.0000000008688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.856756542.00000000035DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.871847954.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.872273709.0000000008600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.856756542.000000000353E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.856756542.00000000036F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Binary or memory string: OriginalFilenameggAT.exe6 vs category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, O--.cs	Base64 encoded string: 'KWRVsNJa7mk/oSuy2WfCkJjef7DgvfIcJ9l2tJhRpe7qa6fDVQRFScVnsdwZVygn'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, O--.cs	Base64 encoded string: 'KWRVsNJa7mk/oSuy2WfCkJjef7DgvfIcJ9l2tJhRpe7qa6fDVQRFScVnsdwZVygn'

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, za4GvLbh8ZiL1EmLy8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, za4GvLbh8ZiL1EmLy8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, LFRhGgX1FfCQG4qZq6.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, LFRhGgX1FfCQG4qZq6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, LFRhGgX1FfCQG4qZq6.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/15@2/2

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Mutant created: \Sessions\1\BaseNamedObjects\LmlRhzWrJstd
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6800

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5fweu21.jlt.ps1

Jump to behavior

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	ReversingLabs: Detection: 34%
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Virustotal: Detection: 30%

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

File read: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 1516
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\Desktop\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ggAT.pdbs\ggAT.pdbpdbgAT.pdbpdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdbH source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER893C.tmp.dmp.6.dr
Source:	Binary string: ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source:	Binary string: ggAT.pdbSHA256 source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe
Source:	Binary string: System.Configuration.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdbd source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\ggAT.pdbpdbgAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\ggAT.pdb-w source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zsymbols\exe\ggAT.pdbmo source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER893C.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbO source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: zHPaoHC:\Users\user\Desktop\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: ?moC:\Users\user\Desktop\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @mo.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: HPao(C:\Windows\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948105506.00000000007A7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\ggAT.pdbn source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.PDBz source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ggAT.pdbEw% source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb9\ source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbMw source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER893C.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ggAT.pdb source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER893C.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER893C.tmp.dmp.6.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, LFRhGgX1FfCQG4qZq6.cs

.Net Code: pwWicR7D4G System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080BE188 push eax; mov dword ptr [esp], edx	0_2_080BE19C
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_080BE190 push eax; mov dword ptr [esp], edx	0_2_080BE19C
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_088778E8 pushfd ; ret	0_2_088778F1
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_0887AC82 pushad ; iretd	0_2_0887ACE1
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Code function: 0_2_08877DBC push 9C088559h; ret	0_2_08877DC5

Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Static PE information: section name: .text entropy: 7.879888640908413

Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, WaSKkhjyguoCrdZKtF.cs	High entropy of concatenated method names: 'Hg1rP9VmJV', 'cjxrh0fc2u', 'ldNrvyWJRf', 'zFIrqMDX2i', 'lTIrHCGlhK', 'kiSrniu8J5', 'O6OgKd2ETPB35isqEg', 'nu7EXZqiYweBpeCwSZ', 'kDLrrZ1DiM', 'mFCrBfyu4J'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, iF52KfcMthnECk9bBu.cs	High entropy of concatenated method names: 'Tf3HCuX1Vq', 'zddHTCRl26', 'WQqH5tQ0ka', 'TYvH2Fy48U', 'JCxHFX5xDT', 'Tx1HpaPrpx', 'krZHMZRixA', 'JQ8HXCplcr', 'bBMHaNBrFF', 'CdwHdExxvd'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, QhNTXaG5XFjl1Xd2jZ.cs	High entropy of concatenated method names: 'UYsPL0Sd2O', 'xFkPK673wf', 'ESxPIbXxFv', 'a0iI7wE296', 'S4RIzGT867', 'X7HPkC2IO3', 'rouPrcyiux', 'GVlP6MrbPC', 'LcTPBc0Oo9', 'eZ1PiSEhjZ'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, S5ngMqt7UehiaePXXu.cs	High entropy of concatenated method names: 'qrmIQgphYn', 'meIIENKCak', 'U9PIgsugZN', 'ToString', 'Sc2I8REsc2', 'BJWIDW0kyM', 'gtJ9NIx6OQdtaLldwZi', 'PN5avGxlnyJ7cfTYMUP', 'IioQYuxICiwHxpVwQjR'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, Bv4SkXLI0FUiPcTZbU.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'HG66uT563j', 'hQj67Ellwe', 'j9H6zYWkNQ', 'r8KBk4MZWh', 'p8eBrWnotE', 'OKQB6Nb3b8', 'oYJBBvuubd', 'SpNjMRdgQPA20yePlJc'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, lXgFERfwKh3uvWWD83.cs	High entropy of concatenated method names: 'oPsKJyL7Wj', 'VDQKe8mQCI', 'iV7KAEJcrf', 'jwfKthunAd', 'e1SKHOrE1P', 'atNKnj70Ca', 'Ay6K3KBZ83', 'p7OKyaiswI', 'Na0KxNeVEK', 'fRwKSpCcph'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, Lb2HMIyBPWbLMRxlel.cs	High entropy of concatenated method names: 'ToString', 'pHXnjjERgL', 'zRjnFjndev', 'YOFnpGsWjN', 'EounMd8c41', 'WFenXb420v', 'k8enahjMv3', 'OQandxK3dR', 'oZ4n0TM4EH', 'u0snZLT3Yb'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, TSSX4OqQALK9jipj49.cs	High entropy of concatenated method names: 'CWUIWjdVrp', 'LkCIltcJ0y', 'CNYIsOHCxQ', 'h3NIPb3SQb', 'KGBIhm42IK', 'QlysgBhQF7', 'TGcs8bFd8J', 'jBFsDvf2O3', 'XdysRudpo8', 'IRBsuMBHTh'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, sgH40s2bZ67uB2Ey5j.cs	High entropy of concatenated method names: 'Yuq3RcTNqR', 'LhD37PdumW', 'zW1ykYRhtd', 'DqUyrSVt8Y', 'CjS3j79VWH', 'PNf3TmZugX', 'BLL31IBqDP', 'NRO35uI1GZ', 'Eqj321C1iB', 'CR73QwtKge'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, c22TK6pmDR93odXi9sQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EQ7Sj0KNcc', 'UlQSTV8XgK', 'BcfS1ywWGU', 'CWES5q6ihK', 'aQNS2KL4Qj', 'k6RSQE0sAR', 'gi6SEQMPmT'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, JwCiHVijZDF5xhYZNF.cs	High entropy of concatenated method names: 'mVBSKmqyCQ', 'BHqSsW1x8l', 'Qv3SI6XrZ1', 'lW5SPRyK61', 'btbSxZBXXg', 'AklShmc5jG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, LFRhGgX1FfCQG4qZq6.cs	High entropy of concatenated method names: 'XgNBWm9tj9', 'b2dBLdAM3e', 'K74Bl35aCa', 'U8CBKd0tCv', 'XoDBscGMnG', 'RDvBI5X1y0', 'FFBBPli1Xt', 'nD0BhfehOT', 'pEaB9XRtD8', 'XpUBvUQE7T'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, nxMtFOppSZX7vffwgMd.cs	High entropy of concatenated method names: 'tQTS7TA0NB', 'F6PSzLucEb', 'A5pwkROJrs', 'Tj9wrP5mRq', 'fkGw6wl57d', 'XyLwBg2Fv7', 'WawwiNJHjL', 'ErJwWNYRYS', 'hXFwLaQY0M', 'zw4wl4PY9l'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, TmjQLFnMGFfNbJZ8N0.cs	High entropy of concatenated method names: 'Dispose', 'oHMruhkVbO', 'y0v6F5Bb6O', 'StxNgcxuRr', 'L3Br7wvp20', 'AC7rzrx7vc', 'ProcessDialogKey', 'c3e6kXaBCo', 'zB56rw6Adj', 'Oqh66cvaKb'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, Or4ZMqsJ6447HQdUsH.cs	High entropy of concatenated method names: 'VTNfAn6lsb', 'tTqftws9qC', 'bGUfGOOplb', 'd1JfFjVrfO', 'bLPfM9op9G', 'wIHfXgPiC8', 'sjlfd8RXg0', 'tZ8f0n3BtM', 'i2BfCeuCdc', 'mOofjl47Cv'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, KH5l9UvF0bmXi0ADdP.cs	High entropy of concatenated method names: 'BHdxHr0Qck', 'KIcx3d3X3C', 'RTExxKkXaU', 'eSxxwWtcgZ', 'XRHxUP3GHv', 'rfuxOWjeX8', 'Dispose', 'J5GyL86sxG', 'wd6yl4Nh4h', 'IKyyKS613f'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, KMu5OPpjA8WfNHr2tNd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UoxNxRrP88', 'IZiNSeiL3p', 'bCMNwnbIb8', 'EWINN57GyF', 'k8sNU4ciMo', 'L5TN45G2EB', 'tnfNOombMQ'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, nh84pC4MxY6jLPcnCh.cs	High entropy of concatenated method names: 'HK3c90DSq', 'R7xJG4vRg', 'LhkeSdRLI', 'KwbYkeyAl', 'uRRtSN83h', 'jV4oUQiRA', 'iF3CPv6gLZ6oOxIuqX', 'FlGp5VCSD591qeBPx6', 'EPtyN45rj', 'nnmSmwe9e'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, RoCLUezLYRQfOTml7S.cs	High entropy of concatenated method names: 'E6xSerbnb2', 'Wk3SA0abLP', 'gLOSt1CuGb', 'NYPSGkjvTn', 'CSwSFklfHM', 'S0wSMI3vGV', 'tZhSXg8ilj', 'rpLSOyLfJR', 'pG2SVLLreK', 'A7hSmYf0oa'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, Cryh8PQj0PSSCwVpyO.cs	High entropy of concatenated method names: 'b2G3vq4bXi', 'nDy3qhdapm', 'ToString', 'r9k3LuwViD', 'DMj3l0YgpB', 'HM63Kkg2A3', 'A3r3sZlIdo', 'GaE3IFxf2o', 'WA83PPtW8b', 'Rd33hUXtSW'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, CwVnGAMiYP0yubfXN6.cs	High entropy of concatenated method names: 'UTdPVCFds7', 'XbcPmnmSh2', 'uh0PcSln3y', 'qMPPJb7i3M', 'qRnPbVkCm4', 'iOhPeg4PtU', 'hspPYfBQQN', 'TxDPAAmyYs', 'qt1PtXlomH', 'pssPoD9OGt'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, za4GvLbh8ZiL1EmLy8.cs	High entropy of concatenated method names: 'OCsl5HriGA', 'MM9l2723Qr', 'TCTlQYjLdG', 'ldalEOLPxq', 'liAlgvedJr', 'rXhl87k0xN', 'LedlD6aEI5', 'KIMlRg8Qdd', 'qKVluAYFyl', 'YWEl72j8P7'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, aCDhmOVUc9edZ5nAev.cs	High entropy of concatenated method names: 'TcBsbh63ib', 'zAksYnCR1I', 'E9uKpdpLtf', 'AerKMKgtCf', 'rcMKXtt6Rd', 'EtFKaAMg4t', 'PwHKdRAPT3', 'KERK0Zear8', 'EjHKZKCxr2', 'hBAKCy7ZvL'
Source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.7f40000.5.raw.unpack, traSWsdQNRDcStEiTn.cs	High entropy of concatenated method names: 'RpyxGnCQKg', 'gZFxFKsbKj', 'RkWxpVlST1', 'yLhxMeTAuK', 'Tf7xX5pgrh', 'hggxa4LaGH', 'qZMxdaVP3H', 'FEZx0XyMmL', 'CL3xZ41Z3o', 'QgdxC7mWJq'

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File created: \category05 sc110-11#u3000_z01g-00008d siparis po15804-25 - h64po1.exe
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File created: \category05 sc110-11#u3000_z01g-00008d siparis po15804-25 - h64po1.exe
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File created: \category05 sc110-11#u3000_z01g-00008d siparis po15804-25 - h64po1.exe
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File created: \category05 sc110-11#u3000_z01g-00008d siparis po15804-25 - h64po1.exe	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	File created: \category05 sc110-11#u3000_z01g-00008d siparis po15804-25 - h64po1.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 16C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 34E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 17A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 9BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: ABE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: AE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: BE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Memory allocated: 48D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239766	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239656	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239518	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239406	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239177	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Window / User API: threadDelayed 578	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Window / User API: threadDelayed 784	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5890	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3735	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -239875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -239766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -239656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -239518s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -239406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -239297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe TID: 6588	Thread sleep time: -239177s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5880	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7088	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239875	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239766	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239656	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239518	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239406	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239297	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Thread delayed: delay time: 239177	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000009.00000002.2105249459.0000022C5C62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2106655123.0000022C61C58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe, 00000002.00000002.948167828.0000000000A66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Memory written: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"			Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Process created: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe "C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe"			Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800, type: MEMORYSTR

Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000002.00000002.948993500.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4e1ce68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe.4dd9848.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.947953994.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.859465487.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe PID: 6800, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exe