Edit tour

Windows Analysis Report
BfwPdttqxH

Overview

General Information

Sample Name:	BfwPdttqxH (renamed file extension from none to exe)
Analysis ID:	679457
MD5:	d4278af4c129db3ea1c48d890304abd1
SHA1:	b6ca93a2c12c164a73339020070662b618723744
SHA256:	9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc
Tags:	32exetrojan
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected AsyncRAT

Multi AV Scanner detection for dropped file

Creates executable files without a name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

BfwPdttqxH.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\BfwPdttqxH.exe" MD5: D4278AF4C129DB3EA1C48D890304ABD1)

powershell.exe (PID: 1748 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 3368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2360 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

BfwPdttqxH.exe (PID: 4684 cmdline: C:\Users\user\Desktop\BfwPdttqxH.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

BfwPdttqxH.exe (PID: 1508 cmdline: C:\Users\user\Desktop\BfwPdttqxH.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

cmd.exe (PID: 5712 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4228 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 5684 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5784 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

.exe (PID: 4336 cmdline: "C:\Users\user\AppData\Roaming\.exe" MD5: D4278AF4C129DB3EA1C48D890304ABD1)

powershell.exe (PID: 916 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5236 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

.exe (PID: 4180 cmdline: C:\Users\user\AppData\Roaming\.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

.exe (PID: 3356 cmdline: C:\Users\user\AppData\Roaming\.exe MD5: D4278AF4C129DB3EA1C48D890304ABD1)

conhost.exe (PID: 2236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MpCmdRun.exe (PID: 1508 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "37.0.14.198", "Ports": "6161", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x166c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x140ff:$x1: AsyncRAT 0x1413d:$x1: AsyncRAT
00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1bd8f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x290db:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3a6ff:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1bcfd:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x29049:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3a66d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d094:$a2: Stub.exe 0x1d124:$a2: Stub.exe 0x2a3e0:$a2: Stub.exe 0x2a470:$a2: Stub.exe 0x3bf3c:$a2: Stub.exe 0x3bfcc:$a2: Stub.exe 0x1886f:$a3: get_ActivatePong 0x25bbb:$a3: get_ActivatePong 0x371df:$a3: get_ActivatePong 0x1bf15:$a4: vmware 0x29261:$a4: vmware 0x3a885:$a4: vmware 0x1bd8d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x290d9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3a6fd:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19686:$a6: get_SslClient 0x269d2:$a6: get_SslClient 0x37ff6:$a6: get_SslClient
00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1c64b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x29997:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3afa7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1c5b9:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x29905:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3af15:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1d950:$a2: Stub.exe 0x1d9e0:$a2: Stub.exe 0x2ac9c:$a2: Stub.exe 0x2ad2c:$a2: Stub.exe 0x3c7e4:$a2: Stub.exe 0x3c874:$a2: Stub.exe 0x1912b:$a3: get_ActivatePong 0x26477:$a3: get_ActivatePong 0x37a87:$a3: get_ActivatePong 0x1c7d1:$a4: vmware 0x29b1d:$a4: vmware 0x3b12d:$a4: vmware 0x1c649:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x29995:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3afa5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19f42:$a6: get_SslClient 0x2728e:$a6: get_SslClient 0x3889e:$a6: get_SslClient
00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb1f3:$x1: AsyncRAT 0xb231:$x1: AsyncRAT
00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x95e3:$x1: AsyncRAT 0x9621:$x1: AsyncRAT
00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa133:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x166be:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x140f7:$x1: AsyncRAT 0x14135:$x1: AsyncRAT
Process Memory Space: BfwPdttqxH.exe PID: 5932	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BfwPdttqxH.exe PID: 5932	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: BfwPdttqxH.exe PID: 5932	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x861e7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: BfwPdttqxH.exe PID: 1508	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: BfwPdttqxH.exe PID: 1508	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x6569:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x24a5a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: BfwPdttqxH.exe PID: 1508	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6144:$x1: AsyncRAT 0x6176:$x1: AsyncRAT 0x1ca3e:$x1: AsyncRAT 0x1ca70:$x1: AsyncRAT 0x24b20:$s6: VirtualBox 0x24ad3:$s8: Win32_ComputerSystem
Process Memory Space: .exe PID: 4336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: .exe PID: 4336	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: .exe PID: 4336	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x10623:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: .exe PID: 3356	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x22086:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: .exe PID: 3356	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1334b:$x1: AsyncRAT 0x1337d:$x1: AsyncRAT 0x21c71:$x1: AsyncRAT 0x21ca3:$x1: AsyncRAT
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.BfwPdttqxH.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.0.BfwPdttqxH.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.0.BfwPdttqxH.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.0.BfwPdttqxH.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient
25.2..exe.294fda8.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.294fda8.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
25.2..exe.294fda8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1b957:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.294fda8.6.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1b8c5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x1d194:$a2: Stub.exe 0x1d224:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x18437:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x1badd:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1b955:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x1924e:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1b943:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2952664.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1b8b1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x1d180:$a2: Stub.exe 0x1d210:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x18423:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x1bac9:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1b941:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x1923a:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1767f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28c8f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2945318.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x175ed:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28bfd:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x18984:$a2: Stub.exe 0x18a14:$a2: Stub.exe 0x2a4cc:$a2: Stub.exe 0x2a55c:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x1415f:$a3: get_ActivatePong 0x2576f:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x17805:$a4: vmware 0x28e15:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1767d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28c8d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x14f76:$a6: get_SslClient 0x26586:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2945318.5.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2945318.5.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2945318.5.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1b82b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28b77:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3a187:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1b799:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28ae5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3a0f5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1cb30:$a2: Stub.exe 0x1cbc0:$a2: Stub.exe 0x29e7c:$a2: Stub.exe 0x29f0c:$a2: Stub.exe 0x3b9c4:$a2: Stub.exe 0x3ba54:$a2: Stub.exe 0x1830b:$a3: get_ActivatePong 0x25657:$a3: get_ActivatePong 0x36c67:$a3: get_ActivatePong 0x1b9b1:$a4: vmware 0x28cfd:$a4: vmware 0x3a30d:$a4: vmware 0x1b829:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28b75:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3a185:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19122:$a6: get_SslClient 0x2646e:$a6: get_SslClient 0x37a7e:$a6: get_SslClient
25.2..exe.2942a5c.4.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.2942a5c.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
25.2..exe.2942a5c.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa333:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1767f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28ca3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.2942a5c.4.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa2a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x175ed:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28c11:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x18984:$a2: Stub.exe 0x18a14:$a2: Stub.exe 0x2a4e0:$a2: Stub.exe 0x2a570:$a2: Stub.exe 0x6e13:$a3: get_ActivatePong 0x1415f:$a3: get_ActivatePong 0x25783:$a3: get_ActivatePong 0xa4b9:$a4: vmware 0x17805:$a4: vmware 0x28e29:$a4: vmware 0xa331:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1767d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28ca1:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7c2a:$a6: get_SslClient 0x14f76:$a6: get_SslClient 0x2659a:$a6: get_SslClient
0.2.BfwPdttqxH.exe.2952664.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.BfwPdttqxH.exe.2952664.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.BfwPdttqxH.exe.2952664.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
25.2..exe.2942a5c.4.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.2942a5c.4.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.2942a5c.4.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
25.2..exe.294fda8.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.294fda8.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8533:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.294fda8.6.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x84a1:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5013:$a3: get_ActivatePong 0x86b9:$a4: vmware 0x8531:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5e2a:$a6: get_SslClient
25.2..exe.2931564.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
25.2..exe.2931564.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
25.2..exe.2931564.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1b82b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x28b77:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3a19b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
25.2..exe.2931564.5.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1b799:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x28ae5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x3a109:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1cb30:$a2: Stub.exe 0x1cbc0:$a2: Stub.exe 0x29e7c:$a2: Stub.exe 0x29f0c:$a2: Stub.exe 0x3b9d8:$a2: Stub.exe 0x3ba68:$a2: Stub.exe 0x1830b:$a3: get_ActivatePong 0x25657:$a3: get_ActivatePong 0x36c7b:$a3: get_ActivatePong 0x1b9b1:$a4: vmware 0x28cfd:$a4: vmware 0x3a321:$a4: vmware 0x1b829:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x28b75:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x3a199:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x19122:$a6: get_SslClient 0x2646e:$a6: get_SslClient 0x37a92:$a6: get_SslClient
Click to see the 35 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BfwPdttqxH.exe

Virustotal: Detection: 23%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\.exe	Virustotal: Detection: 23%			Perma Link
Source: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Virustotal: Detection: 23%			Perma Link

Machine Learning detection for sample

Source: BfwPdttqxH.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	Joe Sandbox ML: detected

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack

Avira: Label: TR/Dropper.Gen

Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "37.0.14.198", "Ports": "6161", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}

Source: BfwPdttqxH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BfwPdttqxH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 37.0.14.198 37.0.14.198

Source: global traffic

TCP traffic: 192.168.2.3:49763 -> 37.0.14.198:6161

Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198
Source: unknown	TCP traffic detected without corresponding DNS query: 37.0.14.198

Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000009.00000002.299907239.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: BfwPdttqxH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: .exe PID: 3356, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250C364
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250E730
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250E720
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0510
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB90E8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB5168
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0F08
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB1DF8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB8A40
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB46EC
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB46D1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB4693
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB8490
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB847F
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB45E8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB45D8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2578
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0500
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB43C8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB43B9
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB4188
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB4179
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB515B
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB0EF9
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB3F80
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB3F71
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB5CE0
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2CD8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2CC8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB5CAD
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2C91
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB1DAD
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2AD8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB2AC9
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB8A30
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB38D8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB38D7
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB38C8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FBD848
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FBD838
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB09B0
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB09A0
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0ADD74B8
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0ADD0040
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0ADD86E0
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267C364
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267E720
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267E730
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D74B8
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D0040
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D001E
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0A5D86E0

Source: BfwPdttqxH.exe, 00000000.00000002.285752436.000000000AB90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.280149519.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.278438794.00000000026C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000000.234523132.0000000000342000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCommonSecurityDescrip.exe: vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000000.00000002.285165562.0000000007010000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe, 00000009.00000000.274209542.000000000040E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs BfwPdttqxH.exe
Source: BfwPdttqxH.exe	Binary or memory string: OriginalFilenameCommonSecurityDescrip.exe: vs BfwPdttqxH.exe

Source: BfwPdttqxH.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZgolgcKGNozdg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: .exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BfwPdttqxH.exe

Virustotal: Detection: 23%

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File read: C:\Users\user\Desktop\BfwPdttqxH.exe

Jump to behavior

Source: BfwPdttqxH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe "C:\Users\user\Desktop\BfwPdttqxH.exe"
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe"
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe"
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File created: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe

Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@36/17@0/1

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: BfwPdttqxH.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, ejMMMDwLLjKzq/LtTbNDNFDJ.cs

Base64 encoded string: 'OlOq69vUs0qrY9sfe8nVzFk6ZIxT8BYvVbCG2Iz7nj/xNC11BFuqXaS9CCauYbpQVqOHuK4U2/gALe+toORIJg==', 'HfI6KH+7gAy83L5eZNHZjDjtPo7/B8I7ksbajOImZ2EmaSuH9/0EakbAg0tgbyR2P9JcxOW0Ar622IyJvYSwdQ==', 'SyFVR4uNhKocXRnQhm1ldqtUv2c46H8gQ9xYVj56GGJdW3xO/HaNbcBpRvTM+3M48NNedDjc6CmR+yj6K3/hJQ==', 'wF8b9CsOtkZPwIccMdvdK0ttlcxJ+j9XrFwfP1uL1RwJOQTJG6SHhxRvl44b7R6EZCaVc4SePo6VAOBiYcY0CzD5ehQ/MplsG7nGYv4JDobfXxLKbgH44T6zxBZTQRsWKbtApSXT9dz6gDgX/lD4gxOaZW2/iEs4fGJclwdzjD16J0u79Ffc7Tt8d2KODOl+KVsJs+G4Z6A8/x24Y6W+twOom13LKMxBrR2AXNhkBBVNQmgKMqygSRtVdun6UwzUX7ZiIHxWxusWdEnt/owqnoHqEiSmDzh2xQKqqquNRaKZsf5mNo/b0Qn3e77rz3qXZ/JScWK7J2FAzZwsbZPI2AKvDNh3pPNX4RHGKaCIDUPBjCnfOxeRzelIJwhFj6+9zWPdukVZ9c9npMwd9mCEFrBsbAp7640zwGnLQB2W6+k8iapCsG67lVigzDkepFizmCbaKxpQn1V1x0QGZJ0V+P9v/Uzyi35Q2gzKboFIg8owc1+j0i2xlxAKClis40ZRXTMNL8ZqAy/uY3qGVYpnerVMGoBCheSQvi8+Qu+yPVa5PQ1NsgagAV3kDRNxXsviUVFqd+bUwqq+zQy14NNFox4H8C87aNnM6HpZP8U3EqeXsOC+tB6ibRLYgU2DEjt/pIrT1EeVBYbMjprWU3izDVyVcQZaI2tqdviwg8RjOC+bwZ4xNtCtCXBS5tRADyPJ6SyhcK5tVT5EbXHTlOia9zzsRgIcHwWgoxamr/cI6cIya+lVvvk/sENQGRgR2NUJp/NOzIjyLLHmIo3/2HV2Luqv/ha4jf4PirhDc0liOc+I9Gbe52wk0qF+WTPUSXnNEOEg1Hx72nCTtKA9oBf3FGzwsrj7MZjzJXqeGapyd0PZXq8MFx7OGcbFX0DHh0xBZkqUqebSG9tEXiaJe9syVrynisO7uRgqFMp0kXLjC2C8Lb5fJzUaMF88sVgs/b/ryjiJmpysQYLCFgaGOESTVwx5JKvEMyXHmLQM/l9G+7ac576/7vdYCLQSDbxAeiq5aDuZn++RTgfk0v+YVkWk9nRs4tIPcHiA5i/7+t+bNDDqzdTmonIubovygKzaSdrIUMt4JdtmhZjyeKvMSgek3qJ7o6urABIrqmmUiDoEttHg/NvU4XSIJ6zumLC2h59sk+dp42D7i7CkHk8Q3Ldn318l52hbd6QesZnzkcqRdLXlFg4WGH93ftzEkXJt2SFoWDwFDCF39jImvvZCUSn3dyUNsFoUFolDRBGw2eQVzhnQJcZ8pRswsmXZWbLz2IwoKiPEwy7TKF9IyGeLL/Um8w+KKTQvjPlum19w6leDUpa4dgDz6CGAbr8F6PKU2p/JEsDSyAbg9uhbGVkH64bFHL5syGg+0gA5YwV/+TIgap4/lSV3kxh9r1KOKAqpJZwIBpuW/p0LXVSa8qvFW5nbKM008a0waXkSeCZU7JHdbZWceU1zmp5ATXI41vOeGdpizGNXgkdsC88seNKinWBlmGMKCAmGNTQSANaaHRCCrx0XDqQd6XgDVCUrWubP9BLTMlfWEBzN7VSrc1tCqR24hb4hvP5SLDHPZgmeg/eOxEPi5CLfw435ZUZcD4afImb2uc9Un7+8Fs4xQmnAqAZyBHI8hpp545xIw0f0p2hc8TcA8li9PHY78Bjhp+ayx3/gatJqfTw+hwJ5R98RodfcAjRKe/ElBcouSjP99JlldoiFDDDYkwqEENDZYrT2sP3SQLwxkzl8Y/E1BcMBQ7eboVo6L6EyUIcqR0u33Tt8+p5osoYfnO0V294vZSSZJUtOqOgyoIJMDMyvvqphGDv9wwYA5thG+Q0HxtHe2D0yxC3MmPjNmeUhSHN7JbcRBynq0skpYVrSQ4pHykQBaNItl44+VnQ7hnWVk68qSzTJQT1WCRW0YZJ1/FcR/aeFToSoPA6i421Q6cgt4gbE8p1QRsPykuBBaSke7KJWFj66brxjZmLD+KR3Kkycf+uetChEl7TrS+DVJFFh6XGEDfEvOSQIBRlNJ/zmwwpIF7OVTZnwEOD2w4+0M/r/Urs7LTKLjF1ifl/TJn5o013ZlFpPoON+aM50ic4TQUYo33iVaC9qmaNDvlt+fuVxBaF1nYaGHkphZscXK+ZQu/PuJHRBdRWjWU7tM0RM4vlPCyyOx+D0Uco7N0/VY0KQCv6EL0aWulNqlh+epReFTk5Kt0zvcDZ1wx/thTlZLe4qIT38hu+lhajmJy6Dw7hkVo/eh54uAq9lx5d+o9+ExiXgvo9wnyGVa8GAJqpWJF+oWBoTohR78TzKtAlSDIStlHCmao++ui+WRKTl54PWJP/9Nf6D+TR6uEbl04gcEhT75utqIRM=', 'jurqkpV4RNoBZmcjvtXZZghCHugRIcYGN32qAizCbKFIy9GhwU4BP7j2R88XCp/AIfYIpIRSqj/2VmkrKCcPkg==', 'xcoHQMaUePtysPL0GIc7NyNlNBJGy50GxXU8POFrBNV3MNvxFtT4Poy4+QAvV5D585tl87xV5FtjXBesOkI//A=='

Source: C:\Users\user\AppData\Roaming\.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3368:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_01

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""

Source: BfwPdttqxH.exe, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: ZgolgcKGNozdg.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.BfwPdttqxH.exe.2c0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: .exe.9.dr, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: BfwPdttqxH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BfwPdttqxH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: BfwPdttqxH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: BfwPdttqxH.exe, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: ZgolgcKGNozdg.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.BfwPdttqxH.exe.2c0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: .exe.9.dr, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.BfwPdttqxH.exe.400000.0.unpack, LqzYFxeCuXZpYA/nGuOiLeYKRcjh.cs	.Net Code: IlKRlVvntjjrs System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250F03A push eax; retf
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_0250BB31 push E004B4A9h; ret
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB6C59 push es; retn FB6Bh
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Code function: 0_2_06FB1D19 push es; iretd
Source: C:\Users\user\AppData\Roaming\.exe	Code function: 25_2_0267BB31 push E004BEA9h; ret

Source: BfwPdttqxH.exe

Static PE information: 0x805C46C7 [Tue Mar 30 03:04:39 2038 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.355955012928353
Source: initial sample	Static PE information: section name: .text entropy: 7.355955012928353
Source: initial sample	Static PE information: section name: .text entropy: 7.355955012928353

Persistence and Installation Behavior

Creates executable files without a name

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

File created: C:\Users\user\AppData\Roaming\.exe

Jump to behavior

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	File created: C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe			Jump to dropped file
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	File created: C:\Users\user\AppData\Roaming\.exe			Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, .exe, 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\BfwPdttqxH.exe TID: 5836	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\Desktop\BfwPdttqxH.exe TID: 5856	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4244	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\Desktop\BfwPdttqxH.exe TID: 2916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\.exe TID: 2136	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\AppData\Roaming\.exe TID: 3308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4656	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\.exe TID: 3776	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9039
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8452

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\AppData\Roaming\.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\.exe	File Volume queried: C:\ FullSizeInformation

Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: .exe, 00000019.00000002.342688617.0000000000983000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\::b
Source: .exe, 00000023.00000002.517636332.0000000004EC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: BfwPdttqxH.exe, 00000009.00000002.307480033.0000000005039000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\O
Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Memory written: C:\Users\user\Desktop\BfwPdttqxH.exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Users\user\Desktop\BfwPdttqxH.exe C:\Users\user\Desktop\BfwPdttqxH.exe
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\.exe "C:\Users\user\AppData\Roaming\.exe"
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe
Source: C:\Users\user\AppData\Roaming\.exe	Process created: C:\Users\user\AppData\Roaming\.exe C:\Users\user\AppData\Roaming\.exe

Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Users\user\Desktop\BfwPdttqxH.exe VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Users\user\Desktop\BfwPdttqxH.exe VolumeInformation
Source: C:\Users\user\Desktop\BfwPdttqxH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Users\user\AppData\Roaming\.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Users\user\AppData\Roaming\.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\BfwPdttqxH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 9.0.BfwPdttqxH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2945318.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2933e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BfwPdttqxH.exe.2952664.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2942a5c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.294fda8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2..exe.2931564.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 5932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BfwPdttqxH.exe PID: 1508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: .exe PID: 4336, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	111 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	121 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	13 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BfwPdttqxH.exe	24%	Virustotal		Browse
BfwPdttqxH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\.exe	24%	Virustotal	Browse
C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe	24%	Virustotal	Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.0.BfwPdttqxH.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BfwPdttqxH.exe, 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, BfwPdttqxH.exe, 00000009.00000002.299907239.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp, .exe, 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	BfwPdttqxH.exe, 00000000.00000002.282781863.00000000067B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.0.14.198	unknown	Netherlands		198301	WKD-ASIE	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679457
Start date and time: 05/08/202220:23:10	2022-08-05 20:23:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	BfwPdttqxH (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@36/17@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 93% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target .exe, PID 3356 because it is empty
Execution Graph export aborted for target BfwPdttqxH.exe, PID 1508 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:24:17	API Interceptor	1x Sleep call for process: BfwPdttqxH.exe modified
20:24:23	API Interceptor	83x Sleep call for process: powershell.exe modified
20:24:44	API Interceptor	1x Sleep call for process: .exe modified
20:25:43	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Process:	C:\Users\user\AppData\Roaming\.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1750
Entropy (8bit):	5.3375092442007315
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
MD5:	92FEE17DD9A6925BA2D1E5EF2CD6E5F2
SHA1:	4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
SHA-256:	67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
SHA-512:	C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BfwPdttqxH.exe.log

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1750
Entropy (8bit):	5.3375092442007315
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
MD5:	92FEE17DD9A6925BA2D1E5EF2CD6E5F2
SHA1:	4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
SHA-256:	67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
SHA-512:	C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22312
Entropy (8bit):	5.6017760530946585
Encrypted:	false
SSDEEP:	384:XtCDR7k0X8aiBQrnIS0nMjultI+HpaeQ99gRcxmT1MaLZlbAV7B/JcZBDI+Bo:ugBCITMCltxJat8RdCqfwtGVI
MD5:	706BF368BF41FC0C490878E2ADA9D7FB
SHA1:	9163B4C4C5C8B74749F97A632F1E417793FBBB5B
SHA-256:	087AA3BF3DD568E4E9D603F6913B584316B55D805CF2E6E359F9927CA720BEB8
SHA-512:	1E4D6DEE39B77F5E9515D218B9983C4E186866EF49D614CE06D33AF7ADAD8B9A77BCBE667F1268E9DEC68C2EB6636FADFE3000450FE1974B1E4E2511D70B9FE5
Malicious:	false
Preview:	@...e.....................o.%.......T... .s..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dc33iso.2wh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qidwwvk3.wko.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3bd04b3.uye.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxtn0rnf.2ib.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.152940532036133
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtGxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTKv
MD5:	C1CE3B34B343D23210BE2315F10F6BD4
SHA1:	9F5FB230FF5A381EF31767BA6D63F8121D77EB43
SHA-256:	632E8FBEE2BEC3E0317733FF1F15F085C9F315DB7809DC1E47B86AE00C0E402F
SHA-512:	1BD66EE0E59FCF0814EB422A9A8F85BED743273B33409CA167DAB89DD8769CCC89D8B0D96F0F5820DFA923348286D0E8E85E828EB36E460189D1D6CA2ADF0BC7
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmpD691.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.152940532036133
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtGxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTKv
MD5:	C1CE3B34B343D23210BE2315F10F6BD4
SHA1:	9F5FB230FF5A381EF31767BA6D63F8121D77EB43
SHA-256:	632E8FBEE2BEC3E0317733FF1F15F085C9F315DB7809DC1E47B86AE00C0E402F
SHA-512:	1BD66EE0E59FCF0814EB422A9A8F85BED743273B33409CA167DAB89DD8769CCC89D8B0D96F0F5820DFA923348286D0E8E85E828EB36E460189D1D6CA2ADF0BC7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	144
Entropy (8bit):	5.062292143444952
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oWXp5cViEaKC50CSmqRDWXp5cViE2J5xAInTRIKWcoL1ZPy:hWKqTtT6WXp+NaZ50Zmq1WXp+N23fTrh
MD5:	20D2911EEB8394C37C85158E016A0465
SHA1:	FD49319833F2F4F14E56534A5BBF021C979E2701
SHA-256:	8AA8C51283BBAF49D7EC8CD207873285A89D982F06785828915D64DB1129244E
SHA-512:	D081F982072A7043887B85C6C502791AC9D8522C5FCD281814775CBD4082599D8103B0942B3660CF4EB1912E87929512CC8F60A6A52D820E30187850014D79BC
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpE3E2.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\.exe

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	631296
Entropy (8bit):	7.350942080201485
Encrypted:	false
SSDEEP:	12288:AzTgQCM0ei0Hth5PSQ7OBOXhsAOf9vHg6SKlpx:tTAhPSkOBOPOf9vJLlpx
MD5:	D4278AF4C129DB3EA1C48D890304ABD1
SHA1:	B6CA93A2C12C164A73339020070662B618723744
SHA-256:	9D19DE1D4BE447775E3345EAE357A9571BD86A607EAF25DF48A6840ACBC390CC
SHA-512:	807C9A5242A831F2F70E8A949A11C58CFE79B9438A7C2D5484CE899CEF6F2F8574F7B03A8D896B5E6473669738266CB04B1B0F9C5E63D85C4C2A00E132B9DCC2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 24%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F\...............0.................. ........@.. ....................................@.................................\...O...................................@................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......@...PP......$......................................................}.....(.......(......{.....o.........0..w........r...p..s.......~O.....o.....r$..p..B....(.......s........o......s..........o......{......o........&........,..o...............Tc..........]k.......0..:.........o ........,+..{....o!...o"....o#...o$....B......(.........0..n........r...p..s........o.....r...p..B...(%.......(&.....B...('......s......o(.....r...p()...&...&........,..o................KZ..

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	631296
Entropy (8bit):	7.350942080201485
Encrypted:	false
SSDEEP:	12288:AzTgQCM0ei0Hth5PSQ7OBOXhsAOf9vHg6SKlpx:tTAhPSkOBOPOf9vJLlpx
MD5:	D4278AF4C129DB3EA1C48D890304ABD1
SHA1:	B6CA93A2C12C164A73339020070662B618723744
SHA-256:	9D19DE1D4BE447775E3345EAE357A9571BD86A607EAF25DF48A6840ACBC390CC
SHA-512:	807C9A5242A831F2F70E8A949A11C58CFE79B9438A7C2D5484CE899CEF6F2F8574F7B03A8D896B5E6473669738266CB04B1B0F9C5E63D85C4C2A00E132B9DCC2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 24%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F\...............0.................. ........@.. ....................................@.................................\...O...................................@................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......@...PP......$......................................................}.....(.......(......{.....o.........0..w........r...p..s.......~O.....o.....r$..p..B....(.......s........o......s..........o......{......o........&........,..o...............Tc..........]k.......0..:.........o ........,+..{....o!...o"....o#...o$....B......(.........0..n........r...p..s........o.....r...p..B...(%.......(&.....B...('......s......o(.....r...p()...&...&........,..o................KZ..

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\BfwPdttqxH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.c1En_sl3.20220805202448.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5798
Entropy (8bit):	5.410872515008515
Encrypted:	false
SSDEEP:	96:BZYhdNwqDo1ZsZMhdNwqDo1Z3P5XjZwhdNwqDo1Z1innaZ9:G
MD5:	AF8EAD164BD6A94818BE40733782624B
SHA1:	86A8F8065E2DDA3E5DD7A9E8B2E35DA8B982CEA6
SHA-256:	0D5E2430B9431E5CC87FBF4E74FCA20AD1569A9CF266C57692DC80893D3E5488
SHA-512:	FB9BE0EFA1E576182ED86026C3DB44CE0497EAA68A5237A29B544688EBD3EFE9E2EF3735D8559EFCF225E80584D3460469922A97DE2C619A0AEC996189115E62
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220805202449..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..Process ID: 916..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220805202449..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..********************..Windows PowerShell transcript start..Start time: 20220805202904..Username: computer\user..RunAs User: computer

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.v9r7NV+a.20220805202421.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5801
Entropy (8bit):	5.411757839217602
Encrypted:	false
SSDEEP:	96:BZJhdNoqDo1Z5Z7hdNoqDo1Z9P5XjZdhdNoqDo1ZoinnvZA:X
MD5:	1A03A3E434CC299FA1E9A277DB8517E8
SHA1:	0BC8A930029AC6574616DE1BAD1F672938C35783
SHA-256:	F9B62836023539D552AF384A8100090FAE4C8590D2948D8501FC391639AD49DE
SHA-512:	54476AB7B23868ABCE8B089422B8A861F07D801BEACE33DA4E187BF11884CD71BD7A6BC99C0F27034A7EC41BD360C4293EA74201F7141D0EBE47C326AEF3E112
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220805202422..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216554 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..Process ID: 1748..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220805202422..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe..********************..Windows PowerShell transcript start..Start time: 20220805202815..Username: computer\user..RunAs User: DESKTOP-716T77

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.164173951604669
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zu+e:j+s+v+b+P+m+0+Q+q+F+e
MD5:	7348401F64247D0E1CBEFF9389397F09
SHA1:	29469747E7C077375051373F2353CB8C3332A73A
SHA-256:	7698074830824D745986D9499E756FB505C46118BEF38B3B3317D3572726C298
SHA-512:	8EA31EAE7D517653A0553402CF693975371793E0157FC20FA5715184248402BFFE807E698AF5926DC609D3E4EF7E8E5F983B8AFB037B03CB29C1A0A09CF4A1D8
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.350942080201485
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	BfwPdttqxH.exe
File size:	631296
MD5:	d4278af4c129db3ea1c48d890304abd1
SHA1:	b6ca93a2c12c164a73339020070662b618723744
SHA256:	9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc
SHA512:	807c9a5242a831f2f70e8a949a11c58cfe79b9438a7c2d5484ce899cef6f2f8574f7b03a8d896b5e6473669738266cb04b1b0f9c5e63d85c4c2a00e132b9dcc2
SSDEEP:	12288:AzTgQCM0ei0Hth5PSQ7OBOXhsAOf9vHg6SKlpx:tTAhPSkOBOPOf9vJLlpx
TLSH:	52D40295B2EB9B23E9784FF2B42152644770A03F956BE24E5C893CFB55B1B134B80B43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F\...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x49b6ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x805C46C7 [Tue Mar 30 03:04:39 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec eax
xor al, 46h
pop edx
push esp
inc edi
inc ebx
pop eax
cmp byte ptr [edi], dh
pop eax
xor al, 38h
inc edx
inc esi
aaa
xor al, 47h
inc edx
xor eax, 00003838h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b65c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x5ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9b640	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x996cc	0x99800	False	0.7814647165105864	data	7.355955012928353	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x5ec	0x600	False	0.4283854166666667	data	4.1832179829896345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9e000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9c090	0x35c	data
RT_MANIFEST	0x9c3fc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 20:25:00.649559975 CEST	49763	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:00.677119970 CEST	6161	49763	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:01.218621969 CEST	49763	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:01.246222019 CEST	6161	49763	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:01.828075886 CEST	49763	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:01.855520010 CEST	6161	49763	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:06.867600918 CEST	49768	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:06.895004988 CEST	6161	49768	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:07.548412085 CEST	49768	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:07.575721979 CEST	6161	49768	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:08.094209909 CEST	49768	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:08.122539997 CEST	6161	49768	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:13.297027111 CEST	49774	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:13.324470043 CEST	6161	49774	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:13.985409021 CEST	49774	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:14.012593985 CEST	6161	49774	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:14.594739914 CEST	49774	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:14.622123003 CEST	6161	49774	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:19.653361082 CEST	49777	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:19.680777073 CEST	6161	49777	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:20.298470974 CEST	49777	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:20.326313972 CEST	6161	49777	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:20.985925913 CEST	49777	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:21.013403893 CEST	6161	49777	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:26.024643898 CEST	49779	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:26.052314043 CEST	6161	49779	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:26.642718077 CEST	49779	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:26.670074940 CEST	6161	49779	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:27.345860004 CEST	49779	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:27.373054981 CEST	6161	49779	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:32.378705025 CEST	49794	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:32.406044006 CEST	6161	49794	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:32.987075090 CEST	49794	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:33.014451981 CEST	6161	49794	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:33.596462965 CEST	49794	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:33.623859882 CEST	6161	49794	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:38.629328012 CEST	49807	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:38.656769037 CEST	6161	49807	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:39.315737009 CEST	49807	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:39.343333006 CEST	6161	49807	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:39.932595015 CEST	49807	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:39.960140944 CEST	6161	49807	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:44.973624945 CEST	49814	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:45.000778913 CEST	6161	49814	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:45.504049063 CEST	49814	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:45.531956911 CEST	6161	49814	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:46.035042048 CEST	49814	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:46.062295914 CEST	6161	49814	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:51.068294048 CEST	49819	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:51.095670938 CEST	6161	49819	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:51.598002911 CEST	49819	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:51.625327110 CEST	6161	49819	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:52.129281044 CEST	49819	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:52.156703949 CEST	6161	49819	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:57.174474001 CEST	49833	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:57.201643944 CEST	6161	49833	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:57.707907915 CEST	49833	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:57.735132933 CEST	6161	49833	37.0.14.198	192.168.2.3
Aug 5, 2022 20:25:58.239228964 CEST	49833	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:25:58.266422987 CEST	6161	49833	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:03.272723913 CEST	49848	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:03.300067902 CEST	6161	49848	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:03.802263975 CEST	49848	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:03.829683065 CEST	6161	49848	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:04.333569050 CEST	49848	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:04.362463951 CEST	6161	49848	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:09.367032051 CEST	49849	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:09.394157887 CEST	6161	49849	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:09.896497965 CEST	49849	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:09.923904896 CEST	6161	49849	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:10.427694082 CEST	49849	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:10.455108881 CEST	6161	49849	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:15.459968090 CEST	49850	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:15.487970114 CEST	6161	49850	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:15.990724087 CEST	49850	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:16.018672943 CEST	6161	49850	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:16.522026062 CEST	49850	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:16.549967051 CEST	6161	49850	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:21.554250956 CEST	49852	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:21.581816912 CEST	6161	49852	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:22.084964037 CEST	49852	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:22.112504005 CEST	6161	49852	37.0.14.198	192.168.2.3
Aug 5, 2022 20:26:22.616478920 CEST	49852	6161	192.168.2.3	37.0.14.198
Aug 5, 2022 20:26:22.644006014 CEST	6161	49852	37.0.14.198	192.168.2.3

Target ID:	0
Start time:	20:24:07
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\BfwPdttqxH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BfwPdttqxH.exe"
Imagebase:	0x2c0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.279559611.00000000028A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.279880645.0000000002933000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: powershell.exePID: 1748, Parent PID: 5932

General

Target ID:	4
Start time:	20:24:20
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Imagebase:	0x950000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 3368, Parent PID: 1748

General

Target ID:	5
Start time:	20:24:20
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 2360, Parent PID: 5932

General

Target ID:	6
Start time:	20:24:20
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp
Imagebase:	0xab0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5380, Parent PID: 2360

General

Target ID:	7
Start time:	20:24:21
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: BfwPdttqxH.exePID: 4684, Parent PID: 5932

General

Target ID:	8
Start time:	20:24:24
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\BfwPdttqxH.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\BfwPdttqxH.exe
Imagebase:	0x2b0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: BfwPdttqxH.exePID: 1508, Parent PID: 5932

General

Target ID:	9
Start time:	20:24:25
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\BfwPdttqxH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\BfwPdttqxH.exe
Imagebase:	0x6f0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.298988477.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.307316402.0000000005006000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000000.273890035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Analysis Process: cmd.exePID: 5712, Parent PID: 1508

General

Target ID:	14
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"' & exit
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4904, Parent PID: 5712

General

Target ID:	16
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 5684, Parent PID: 1508

General

Target ID:	17
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat""
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 4228, Parent PID: 5712

General

Target ID:	18
Start time:	20:24:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\user\AppData\Roaming\.exe"'
Imagebase:	0xab0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5180, Parent PID: 5684

General

Target ID:	20
Start time:	20:24:35
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exePID: 5784, Parent PID: 5684

General

Target ID:	22
Start time:	20:24:36
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x13b0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: .exePID: 4336, Parent PID: 5684

General

Target ID:	25
Start time:	20:24:40
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\.exe"
Imagebase:	0x360000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000019.00000002.346637668.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000019.00000002.346146795.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 24%, Virustotal, Browse

Analysis Process: powershell.exePID: 916, Parent PID: 4336

General

Target ID:	29
Start time:	20:24:46
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe
Imagebase:	0x950000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 1532, Parent PID: 916

General

Target ID:	30
Start time:	20:24:47
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 5236, Parent PID: 4336

General

Target ID:	31
Start time:	20:24:47
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgolgcKGNozdg" /XML "C:\Users\user\AppData\Local\Temp\tmpD691.tmp
Imagebase:	0xab0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 3400, Parent PID: 5236

General

Target ID:	32
Start time:	20:24:48
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: .exePID: 4180, Parent PID: 4336

General

Target ID:	34
Start time:	20:24:51
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\.exe
Imagebase:	0x3d0000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: .exePID: 3356, Parent PID: 4336

General

Target ID:	35
Start time:	20:24:52
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\.exe
Imagebase:	0x470000
File size:	631296 bytes
MD5 hash:	D4278AF4C129DB3EA1C48D890304ABD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000023.00000002.518564468.0000000004F98000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000023.00000002.507915414.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen

Analysis Process: MpCmdRun.exePID: 1508, Parent PID: 4952

General

Target ID:	43
Start time:	20:25:42
Start date:	05/08/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7b0320000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2236, Parent PID: 1508

General

Target ID:	44
Start time:	20:25:42
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BfwPdttqxH

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BfwPdttqxH.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dc33iso.2wh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qidwwvk3.wko.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3bd04b3.uye.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxtn0rnf.2ib.ps1

C:\Users\user\AppData\Local\Temp\tmp6E9F.tmp

C:\Users\user\AppData\Local\Temp\tmpD691.tmp

C:\Users\user\AppData\Local\Temp\tmpE3E2.tmp.bat

C:\Users\user\AppData\Roaming\.exe

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe

C:\Users\user\AppData\Roaming\ZgolgcKGNozdg.exe:Zone.Identifier

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.c1En_sl3.20220805202448.txt

C:\Users\user\Documents\20220805\PowerShell_transcript.216554.v9r7NV+a.20220805202421.txt

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

\Device\Null

Static File Info

Windows Analysis Report
BfwPdttqxH