Loading ...

Play interactive tourEdit tour

Analysis Report sSQ1r2KRD8.exe

Overview

General Information

Sample Name:sSQ1r2KRD8.exe
Analysis ID:286546
MD5:d408d9b719debd7ac1a42cae6128890f
SHA1:cabbd9c628578f60bc6d6c09d49123cd9deda8b0
SHA256:27ed7853f8176995ba85c2fb099e49a6344c9d8afa38b2cb8d137032d96f9db8
Tags:exeMassLogger

Most interesting Screenshot:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM_3
Yara detected MassLogger RAT
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Startup

  • System is w10x64
  • sSQ1r2KRD8.exe (PID: 6732 cmdline: 'C:\Users\user\Desktop\sSQ1r2KRD8.exe' MD5: D408D9B719DEBD7AC1A42CAE6128890F)
    • notepad.exe (PID: 6872 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • hdhskdhl.exe (PID: 6888 cmdline: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe MD5: D408D9B719DEBD7AC1A42CAE6128890F)
        • hdhskdhl.exe (PID: 6920 cmdline: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe MD5: D408D9B719DEBD7AC1A42CAE6128890F)
          • WerFault.exe (PID: 6908 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 2208 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • hdhskdhl.exe (PID: 6960 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 6920 6209031 MD5: D408D9B719DEBD7AC1A42CAE6128890F)
          • hdhskdhl.exe (PID: 2984 cmdline: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe MD5: D408D9B719DEBD7AC1A42CAE6128890F)
            • hdhskdhl.exe (PID: 6576 cmdline: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe MD5: D408D9B719DEBD7AC1A42CAE6128890F)
            • hdhskdhl.exe (PID: 6592 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 6576 6250000 MD5: D408D9B719DEBD7AC1A42CAE6128890F)
  • wscript.exe (PID: 7040 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • hdhskdhl.exe (PID: 7104 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' MD5: D408D9B719DEBD7AC1A42CAE6128890F)
      • hdhskdhl.exe (PID: 7160 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' MD5: D408D9B719DEBD7AC1A42CAE6128890F)
      • hdhskdhl.exe (PID: 3644 cmdline: 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 7160 6219562 MD5: D408D9B719DEBD7AC1A42CAE6128890F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.265616127.0000000004332000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.300920082.0000000002362000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      00000002.00000002.233189387.0000000002782000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000008.00000002.494808373.0000000002382000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          00000003.00000002.298249916.00000000004A9000.00000040.00000001.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            Click to see the 33 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.hdhskdhl.exe.2360000.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              3.2.hdhskdhl.exe.720000.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                7.2.hdhskdhl.exe.4330000.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                  3.2.hdhskdhl.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                    3.2.hdhskdhl.exe.720000.1.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                      Click to see the 11 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Drops script at startup locationShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\notepad.exe, ProcessId: 6872, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: sSQ1r2KRD8.exeAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeAvira: detection malicious, Label: TR/Injector.bvpej
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeVirustotal: Detection: 46%Perma Link
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeMetadefender: Detection: 31%Perma Link
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeReversingLabs: Detection: 75%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: sSQ1r2KRD8.exeVirustotal: Detection: 46%Perma Link
                      Source: sSQ1r2KRD8.exeMetadefender: Detection: 31%Perma Link
                      Source: sSQ1r2KRD8.exeReversingLabs: Detection: 75%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: sSQ1r2KRD8.exeJoe Sandbox ML: detected
                      Source: 7.2.hdhskdhl.exe.42c0000.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0040840C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_0040840C
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00405080 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405080
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0040840C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,2_2_0040840C
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_00405080 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405080
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0040840C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_0040840C
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_00405080 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00405080
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0040840C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,7_2_0040840C
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_00405080 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,7_2_00405080
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 54.235.83.248 54.235.83.248
                      Source: Joe Sandbox ViewIP Address: 54.225.66.103 54.225.66.103
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                      Source: hdhskdhl.exe, 00000003.00000002.304129221.0000000002BE1000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499279697.0000000002991000.00000004.00000001.sdmpString found in binary or memory: fUsage: https://www.youtube.com/watch?v=Qxk6cu21JSg equals www.youtube.com (Youtube)
                      Source: unknownDNS traffic detected: queries for: api.ipify.org
                      Source: hdhskdhl.exe, 00000003.00000002.304559221.0000000002D28000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499580342.0000000002AD9000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
                      Source: hdhskdhl.exe, 00000003.00000002.304559221.0000000002D28000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499580342.0000000002AD9000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/
                      Source: hdhskdhl.exe, 00000008.00000002.499580342.0000000002AD9000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/Pv
                      Source: hdhskdhl.exe, 00000008.00000002.499580342.0000000002AD9000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org/p
                      Source: hdhskdhl.exe, 00000003.00000002.304559221.0000000002D28000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org4
                      Source: hdhskdhl.exe, 00000003.00000002.304129221.0000000002BE1000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499279697.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.orgD
                      Source: hdhskdhl.exe, 00000008.00000002.499580342.0000000002AD9000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify8
                      Source: hdhskdhl.exe, 00000003.00000002.304590081.0000000002D39000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499653747.0000000002AEA000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
                      Source: hdhskdhl.exe, 00000003.00000002.304559221.0000000002D28000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499580342.0000000002AD9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: hdhskdhl.exe, 00000003.00000002.304129221.0000000002BE1000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499279697.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://surdmutablet.com/panel/?/upload
                      Source: hdhskdhl.exe, 00000008.00000002.502183895.0000000003A11000.00000004.00000001.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip.
                      Source: hdhskdhl.exe, 00000003.00000002.304129221.0000000002BE1000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.499279697.0000000002991000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00420AC0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00420AC0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_00421104 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,4_2_00421104
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0043D334 GetKeyboardState,0_2_0043D334

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004402B0 NtdllDefWindowProc_A,GetCapture,0_2_004402B0
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045AEE8 NtdllDefWindowProc_A,0_2_0045AEE8
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0042A078 NtdllDefWindowProc_A,0_2_0042A078
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00450214 GetSubMenu,SaveDC,RestoreDC,731EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00450214
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045B690
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045B740
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_004402B0 NtdllDefWindowProc_A,GetCapture,2_2_004402B0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0045AEE8 NtdllDefWindowProc_A,2_2_0045AEE8
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0042A078 NtdllDefWindowProc_A,2_2_0042A078
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_00450214 GetSubMenu,SaveDC,RestoreDC,731EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,2_2_00450214
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_0045B690
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_0045B740
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_004A2159 NtCreateSection,3_2_004A2159
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_004402B0 NtdllDefWindowProc_A,GetCapture,4_2_004402B0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0045AEE8 NtdllDefWindowProc_A,4_2_0045AEE8
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0042A078 NtdllDefWindowProc_A,4_2_0042A078
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_00450214 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,4_2_00450214
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_0045B690
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_0045B740
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_004402B0 NtdllDefWindowProc_A,GetCapture,7_2_004402B0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0045AEE8 NtdllDefWindowProc_A,7_2_0045AEE8
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0042A078 NtdllDefWindowProc_A,7_2_0042A078
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_00450214 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,7_2_00450214
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,7_2_0045B690
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,7_2_0045B740
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_004A2159 NtCreateSection,8_2_004A2159
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004502140_2_00450214
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0040D0C40_2_0040D0C4
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004553E00_2_004553E0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_004502142_2_00450214
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0040D0C42_2_0040D0C4
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_004553E02_2_004553E0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_0049B9763_2_0049B976
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_004A113D3_2_004A113D
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_024465A33_2_024465A3
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_024408803_2_02440880
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_024447D83_2_024447D8
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_024405073_2_02440507
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_024405183_2_02440518
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441EDA3_2_02441EDA
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441EEE3_2_02441EEE
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441E803_2_02441E80
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441EBD3_2_02441EBD
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441F4F3_2_02441F4F
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441F743_2_02441F74
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441F223_2_02441F22
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 3_2_02441F8B3_2_02441F8B
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_004502144_2_00450214
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0040D0C44_2_0040D0C4
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_004553E04_2_004553E0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_004502147_2_00450214
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0040D0C47_2_0040D0C4
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_004553E07_2_004553E0
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_0049B9768_2_0049B976
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_004A113D8_2_004A113D
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A766138_2_00A76613
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A708808_2_00A70880
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A705078_2_00A70507
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A705188_2_00A70518
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A747D88_2_00A747D8
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A708718_2_00A70871
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71EBD8_2_00A71EBD
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71E808_2_00A71E80
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71EEE8_2_00A71EEE
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71EDA8_2_00A71EDA
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71F8B8_2_00A71F8B
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71F228_2_00A71F22
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71F748_2_00A71F74
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_00A71F4F8_2_00A71F4F
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_0536D6108_2_0536D610
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_0536CD408_2_0536CD40
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 8_2_0536C9F88_2_0536C9F8
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 004035E4 appears 66 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 00403FCC appears 60 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 00405D78 appears 48 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 00403FA8 appears 204 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 0049BF3C appears 36 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 0040EB1C appears 33 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 00403A60 appears 33 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 0040DA18 appears 63 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 0040609C appears 183 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 00403258 appears 42 times
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: String function: 0049B36B appears 32 times
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: String function: 00403FA8 appears 68 times
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: String function: 0040609C appears 61 times
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 2208
                      Source: sSQ1r2KRD8.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: sSQ1r2KRD8.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: sSQ1r2KRD8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: hdhskdhl.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: hdhskdhl.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: hdhskdhl.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: sSQ1r2KRD8.exe, 00000000.00000002.222672753.00000000021B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs sSQ1r2KRD8.exe
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: mscorwks.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: mscorsec.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: mscorjit.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: mscorwks.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: mscorsec.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: mscorjit.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: verifier.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netapi32.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dsreg.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: netprofm.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: windows.security.authentication.onlineid.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: webio.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: schannel.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: cryptnet.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: rmclient.dll
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/12@6/4
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0041DBA8 GetLastError,FormatMessageA,0_2_0041DBA8
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004085C0 GetDiskFreeSpaceA,0_2_004085C0
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0041376C FindResourceA,0_2_0041376C
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\appdataJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6920
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2116.tmp
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs'
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM WIN32_PROCESSOR
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: sSQ1r2KRD8.exeVirustotal: Detection: 46%
                      Source: sSQ1r2KRD8.exeMetadefender: Detection: 31%
                      Source: sSQ1r2KRD8.exeReversingLabs: Detection: 75%
                      Source: unknownProcess created: C:\Users\user\Desktop\sSQ1r2KRD8.exe 'C:\Users\user\Desktop\sSQ1r2KRD8.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 6920 6209031
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbs'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 7160 6219562
                      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 2208
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 6576 6250000
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exeJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 6920 6209031Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 7160 6219562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe 'C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe' 2 6576 6250000
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.PDB source: hdhskdhl.exe, 00000003.00000002.307782949.0000000006727000.00000004.00000010.sdmp
                      Source: Binary string: hdhskdhl.PDBx source: hdhskdhl.exe, 00000003.00000002.307782949.0000000006727000.00000004.00000010.sdmp
                      Source: Binary string: .pdb3P source: hdhskdhl.exe, 00000003.00000002.307782949.0000000006727000.00000004.00000010.sdmp
                      Source: Binary string: mscorlib.pdb source: hdhskdhl.exe, 00000003.00000002.306497018.00000000053E6000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: hdhskdhl.exe, 00000003.00000002.306076318.0000000005288000.00000004.00000001.sdmp
                      Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: hdhskdhl.exe, 00000008.00000002.500030786.0000000002BDD000.00000004.00000001.sdmp
                      Source: Binary string: (Pn0C:\Windows\mscorlib.pdb source: hdhskdhl.exe, 00000003.00000002.307782949.0000000006727000.00000004.00000010.sdmp
                      Source: Binary string: C:\Users\pierr\source\repositories\IconLib\IconLib\IconLib\obj\Release\IconLib.pdb source: hdhskdhl.exe, 00000008.00000002.500030786.0000000002BDD000.00000004.00000001.sdmp
                      Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: hdhskdhl.exe, 00000008.00000002.500030786.0000000002BDD000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb{ source: hdhskdhl.exe, 00000003.00000002.306497018.00000000053E6000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb; source: hdhskdhl.exe, 00000003.00000002.306497018.00000000053E6000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbq source: hdhskdhl.exe, 00000003.00000002.299917269.00000000008B0000.00000004.00000020.sdmp
                      Source: Binary string: C:\Users\pierr\source\repositories\IconLib\IconLib\IconLib\obj\Release\IconLib.pdbSHA256 source: hdhskdhl.exe, 00000008.00000002.500030786.0000000002BDD000.00000004.00000001.sdmp
                      Source: Binary string: c:\DotNetZip\Zip Reduced\obj\Release\Ionic.Zip.Reduced.pdb source: hdhskdhl.exe, 00000003.00000002.305463209.0000000003BE1000.00000004.00000001.sdmp, hdhskdhl.exe, 00000008.00000002.502183895.0000000003A11000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeUnpacked PE file: 3.2.hdhskdhl.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeUnpacked PE file: 8.2.hdhskdhl.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeUnpacked PE file: 3.2.hdhskdhl.exe.2360000.3.unpack
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeUnpacked PE file: 8.2.hdhskdhl.exe.2380000.3.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeUnpacked PE file: 3.2.hdhskdhl.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeUnpacked PE file: 8.2.hdhskdhl.exe.400000.0.unpack
                      Yara detected Costura Assembly LoaderShow sources
                      Source: Yara matchFile source: Process Memory Space: hdhskdhl.exe PID: 6888, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: hdhskdhl.exe PID: 6920, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: hdhskdhl.exe PID: 7104, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: hdhskdhl.exe PID: 2984, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: hdhskdhl.exe PID: 7160, type: MEMORY
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0042611C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042611C
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004478C4 push 00447951h; ret 0_2_00447949
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00424094 push 004240C0h; ret 0_2_004240B8
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0042815C push 004281B5h; ret 0_2_004281AD
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0042422C push 00424258h; ret 0_2_00424250
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0042E4B4 push 0042E4E7h; ret 0_2_0042E4DF
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004485F4 push ecx; mov dword ptr [esp], edx0_2_004485F8
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00436644 push 004366B9h; ret 0_2_004366B1
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004106AE push 00410726h; ret 0_2_0041071E
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004106B0 push 00410726h; ret 0_2_0041071E
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004366BC push 00436715h; ret 0_2_0043670D
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0044A74C push 0044A778h; ret 0_2_0044A770
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00410728 push 004107D0h; ret 0_2_004107C8
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004107D2 push 004108E8h; ret 0_2_004108E0
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0041A79A push 0041A847h; ret 0_2_0041A83F
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0041A79C push 0041A847h; ret 0_2_0041A83F
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0041A84C push 0041A8DCh; ret 0_2_0041A8D4
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0041A8DE push 0041AC04h; ret 0_2_0041ABFC
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045E8E8 push 0045E914h; ret 0_2_0045E90C
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00448894 push ecx; mov dword ptr [esp], edx0_2_00448898
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004268A8 push 004268F7h; ret 0_2_004268EF
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004108BC push 004108E8h; ret 0_2_004108E0
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00426950 push 0042697Ch; ret 0_2_00426974
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00426918 push 00426944h; ret 0_2_0042693C
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004269C0 push 004269ECh; ret 0_2_004269E4
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004249EC push 00424A18h; ret 0_2_00424A10
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004269F8 push 00426A24h; ret 0_2_00426A1C
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00426988 push 004269B4h; ret 0_2_004269AC
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004249AC push 004249D8h; ret 0_2_004249D0
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004069B0 push ecx; mov dword ptr [esp], eax0_2_004069B1
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045E9B8 push 0045E9E4h; ret 0_2_0045E9DC
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00426A30 push 00426A5Ch; ret 0_2_00426A54
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops VBS files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbsJump to dropped file
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbsJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.vbsJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Creates files in alternative data streams (ADS)Show sources
                      Source: C:\Windows\SysWOW64\notepad.exeFile created: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exe:ZoneIdentifierJump to behavior
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045AF70 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_0045AF70
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00442288 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_00442288
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00424464 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00424464
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00442BAC IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00442BAC
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045B690
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045B740
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_004419D4 IsIconic,GetCapture,0_2_004419D4
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_00457F98 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00457F98
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0045AF70 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_0045AF70
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_00442288 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00442288
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_00424464 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00424464
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_00442BAC IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_00442BAC
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_0045B690
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_0045B740
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_004419D4 IsIconic,GetCapture,2_2_004419D4
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 2_2_00457F98 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_00457F98
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0045AF70 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,4_2_0045AF70
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_00442288 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,4_2_00442288
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_00424464 IsIconic,GetWindowPlacement,GetWindowRect,4_2_00424464
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_00442BAC IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,4_2_00442BAC
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_0045B690
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_0045B740
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_004419D4 IsIconic,GetCapture,4_2_004419D4
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 4_2_00457F98 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,4_2_00457F98
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0045AF70 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,7_2_0045AF70
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_00442288 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,7_2_00442288
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_00424464 IsIconic,GetWindowPlacement,GetWindowRect,7_2_00424464
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_00442BAC IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,7_2_00442BAC
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0045B690 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,7_2_0045B690
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_0045B740 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,7_2_0045B740
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_004419D4 IsIconic,GetCapture,7_2_004419D4
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeCode function: 7_2_00457F98 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,7_2_00457F98
                      Source: C:\Users\user\Desktop\sSQ1r2KRD8.exeCode function: 0_2_0042611C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042611C
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\appdata\hdhskdhl.exeProcess infor