Windows Analysis Report
LFfjUMuUFU.exe

Overview

General Information

Sample name: LFfjUMuUFU.exe
renamed because original name is a hash value
Original sample name: 117efcf6a3a3af167c293331a7531a46.exe
Analysis ID: 1436255
MD5: 117efcf6a3a3af167c293331a7531a46
SHA1: 876b3d74c8b535f6b90455b0f8a5d79ca33362e1
SHA256: 4eedc7ed6ade620eef8eb160d18518afc9c59eb262baf8a9fdbe758fb611b6f0
Tags: 32exetrojan
Infos:

Detection

AsyncRAT, PureLog Stealer, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected WebBrowserPassView password recovery tool
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: beshomandotestbesnd.run.place Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\1235.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Roaming\456.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "45.61.150.201", "beshomandotestbesnd.run.place"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672"}
Source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,45.61.150.201,beshomandotestbesnd.run.place", "Port": "6606,7707,8808", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "true"}
Multi AV Scanner detection for domain / URL
Source: beshomandotestbesnd.run.place Virustotal: Detection: 9% Perma Link
Source: beshomandotestbesnd.run.place Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\1235.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\1235.exe Virustotal: Detection: 65% Perma Link
Source: C:\Users\user\AppData\Roaming\456.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\456.exe Virustotal: Detection: 63% Perma Link
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Virustotal: Detection: 41% Perma Link
Multi AV Scanner detection for submitted file
Source: LFfjUMuUFU.exe ReversingLabs: Detection: 36%
Source: LFfjUMuUFU.exe Virustotal: Detection: 41% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\1235.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\456.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LFfjUMuUFU.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: 127.0.0.1,45.61.150.201,beshomandotestbesnd.run.place
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: 7000
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: <123456789>
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: <Xwormmm>
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: XWorm V5.6
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: USB.exe
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: %AppData%
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: XClient.exe
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: 2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo
Source: 12.0.1235.exe.e10000.0.unpack String decryptor: 966649672
Uses 32bit PE files
Source: LFfjUMuUFU.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: LFfjUMuUFU.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: OfXP.pdb source: LFfjUMuUFU.exe, AAkXVY.exe.0.dr
Source: Binary string: OfXP.pdbSHA256; source: LFfjUMuUFU.exe, AAkXVY.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Code function: 4x nop then jmp 09D3198Dh 0_2_09D32148
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Code function: 4x nop then jmp 09D3198Dh 0_2_09D32247
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 4x nop then jmp 0AAD08EDh 10_2_0AAD10A8
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 4x nop then jmp 0AAD08EDh 10_2_0AAD11A7

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 45.88.186.125:8808 -> 192.168.2.5:49718
Source: Traffic Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 45.88.186.125:8808 -> 192.168.2.5:49718
Source: Traffic Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 45.88.186.125:7000 -> 192.168.2.5:49722
Source: Traffic Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 45.88.186.125:7000 -> 192.168.2.5:49722
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 127.0.0.1
Source: Malware configuration extractor URLs: 45.61.150.201
Source: Malware configuration extractor URLs: beshomandotestbesnd.run.place
Source: Malware configuration extractor URLs: beshomandotestbesnd.run.place
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49710 -> 45.61.150.201:7707
Source: global traffic TCP traffic: 192.168.2.5:49718 -> 45.88.186.125:8808
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: QUICKPACKETUS QUICKPACKETUS
Source: Joe Sandbox View ASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 45.61.150.201
Source: unknown TCP traffic detected without corresponding DNS query: 45.61.150.201
Source: unknown TCP traffic detected without corresponding DNS query: 45.61.150.201
Source: unknown TCP traffic detected without corresponding DNS query: 45.61.150.201
Source: unknown TCP traffic detected without corresponding DNS query: 45.61.150.201
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: beshomandotestbesnd.run.place
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: powershell.exe, 00000019.00000002.2884794122.000001B727ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: powershell.exe, 00000019.00000002.2884794122.000001B727ACE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3312242107.0000016D70DAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000019.00000002.2884794122.000001B727ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micft.cMicRosof
Source: 456.exe, 0000000B.00000002.3398649290.00000000051A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 456.exe, 0000000B.00000002.3398649290.00000000051A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 0000000E.00000002.2162518724.0000015B3253F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2445457495.000001B567A5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2788121554.000001B71F4BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000E.00000002.2110588680.0000015B226F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B557C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F67A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: LFfjUMuUFU.exe, 00000000.00000002.2047181888.00000000025D8000.00000004.00000800.00020000.00000000.sdmp, AAkXVY.exe, 0000000A.00000002.2203533506.0000000003248000.00000004.00000800.00020000.00000000.sdmp, 456.exe, 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, 1235.exe, 0000000C.00000002.3349500218.0000000003121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2110588680.0000015B224D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B5579F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.2110588680.0000015B226F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B557C19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F67A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: LFfjUMuUFU.exe, AAkXVY.exe.0.dr String found in binary or memory: http://tempuri.org/DataSetGen.xsd
Source: powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001B.00000002.3309340008.0000016D709EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.micrm/pki/certs/MicR_2010-06-23.crt0
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 0000000E.00000002.2110588680.0000015B224D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2258279552.000001B5579F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2594214487.000001B70F451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2943982437.0000016D00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: MSBuild.exe, 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 1235.exe, 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, MSBuild.exe, 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, 1235.exe.9.dr String found in binary or memory: https://api.telegram.org/bot
Source: powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001B.00000002.2943982437.0000016D00227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.2162518724.0000015B3253F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2445457495.000001B567A5D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2788121554.000001B71F4BA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3261780764.0000016D10066000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED
Contains functionality to log keystrokes (.Net Source)
Source: 456.exe.9.dr, LimeLogger.cs .Net Code: KeyboardLayout
Source: 1235.exe.9.dr, XLogger.cs .Net Code: KeyboardLayout
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, XLogger.cs .Net Code: KeyboardLayout

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.MSBuild.exe.3047c50.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.MSBuild.exe.2eb59e8.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.MSBuild.exe.3053078.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.MSBuild.exe.2eaa5c0.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.3414123856.000000000679C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000013.00000002.2268754749.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.3398649290.00000000051D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000013.00000002.2259471058.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.3354395323.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.3398649290.0000000005278000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.3413113784.0000000006778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: 456.exe PID: 5560, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Code function: 0_2_0078DCD4 0_2_0078DCD4
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Code function: 0_2_09D333E9 0_2_09D333E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 9_2_012D17B0 9_2_012D17B0
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0153DCD4 10_2_0153DCD4
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_075244E8 10_2_075244E8
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752B590 10_2_0752B590
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752B5A0 10_2_0752B5A0
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_075244D8 10_2_075244D8
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752D378 10_2_0752D378
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752D367 10_2_0752D367
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752B168 10_2_0752B168
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_07522F90 10_2_07522F90
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_07522F80 10_2_07522F80
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752AD16 10_2_0752AD16
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752AD30 10_2_0752AD30
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0752D870 10_2_0752D870
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Code function: 10_2_0AAD2301 10_2_0AAD2301
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_0121E1A8 11_2_0121E1A8
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07336377 11_2_07336377
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07336388 11_2_07336388
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07338E62 11_2_07338E62
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07338EF2 11_2_07338EF2
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07331B10 11_2_07331B10
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07597318 11_2_07597318
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_0759A092 11_2_0759A092
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07599930 11_2_07599930
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07591170 11_2_07591170
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07593F80 11_2_07593F80
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_0759ADB0 11_2_0759ADB0
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07594A98 11_2_07594A98
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07592948 11_2_07592948
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07653F50 11_2_07653F50
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_076567D8 11_2_076567D8
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_0765DA80 11_2_0765DA80
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07656FE8 11_2_07656FE8
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07656FF8 11_2_07656FF8
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_076DC628 11_2_076DC628
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_076DC3C0 11_2_076DC3C0
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_076D8C28 11_2_076D8C28
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_076D8C38 11_2_076D8C38
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 12_2_00007FF848C412E9 12_2_00007FF848C412E9
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 12_2_00007FF848C41CCD 12_2_00007FF848C41CCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 18_2_012A17B0 18_2_012A17B0
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 20_2_00007FF848C512E9 20_2_00007FF848C512E9
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 20_2_00007FF848C51CCD 20_2_00007FF848C51CCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FF848D43333 22_2_00007FF848D43333
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_00007FF848D130E9 27_2_00007FF848D130E9
Sample file is different than original file name gathered from version info
Source: LFfjUMuUFU.exe, 00000000.00000000.1968284586.0000000000062000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameOfXP.exe6 vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe, 00000000.00000002.2047181888.00000000025D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOutput.exe@ vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe, 00000000.00000002.2062671888.0000000007040000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe, 00000000.00000002.2057556745.0000000003875000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOutput.exe@ vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe, 00000000.00000002.2057556745.0000000003875000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe, 00000000.00000002.2047181888.0000000002551000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe, 00000000.00000002.2061759454.0000000004B70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe, 00000000.00000002.2022543031.00000000007AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LFfjUMuUFU.exe
Source: LFfjUMuUFU.exe Binary or memory string: OriginalFilenameOfXP.exe6 vs LFfjUMuUFU.exe
Uses 32bit PE files
Source: LFfjUMuUFU.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.MSBuild.exe.3047c50.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.MSBuild.exe.2eb59e8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.MSBuild.exe.3053078.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.MSBuild.exe.2eaa5c0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.3414123856.000000000679C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000013.00000002.2268754749.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.3398649290.00000000051D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000013.00000002.2259471058.0000000000F86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.3354395323.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.3398649290.0000000005278000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.3413113784.0000000006778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: 456.exe PID: 5560, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: LFfjUMuUFU.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AAkXVY.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.LFfjUMuUFU.exe.3875148.7.raw.unpack, Program.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LFfjUMuUFU.exe.38a4368.8.raw.unpack, Program.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1235.exe.9.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1235.exe.9.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1235.exe.9.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 456.exe.9.dr, Settings.cs Base64 encoded string: 'XrfvbCvsS9vtxvWVW8AhIetJt98yF0O0it4ifaj473qCzK2PTwItZK2Uw42MciR0RNbL29s1R3evdUgzPY/bnw==', 'NYWcjEJSowcO4c5eWb5N5GpsUJy57xkxDMT4phc043Oqi34ixLzUARnu8DhfbMn8FAL4AjdhoVkNMrVOudhrI46RIKMZusyoXCUuj5feTVeSS9RHC3ip+kzO2qUnYnp1nTX9ySCO1lmims2BINzm1Q==', 'gceFmxgh1fSOz/+AxIQYya1QNucnOxcMuk+0vLDEeUYPpJUbGk4HaBQKno2HG4bA6o3UNlNXJLw1T3UZVIAs/W2aFfpJD1p2U7GUKgcuDDE=', 'oflgvPy/WveCypfpXYWdNutP9VgxhVV4BqYsduThacod/0VhZTkVDNHqOwyWox+gzRVPgxOnz0sGQw+H6Rj6jbEpz0Qoo4XvWleI0tfpLVc=', 'gs0gnSjSNM4+8CYNva87VU6tWvx/lSPh5QO+/RcNJRNbKkXVCeQoHQeTrUMZ46sk1RAZs4//V9ujM5wPmi7oiZO0ykuaXdaVh1r6PksVvah8z4wFY1EoLewJNtsRk4+gm09Hht/OMTecyPubyVc5em0E1LN4EEPFnVn784cAetxmL0L7MsFFvx8Z+G3Bv7+tby8znYV+Ep1zkfffw1FMa+a/EDr8PevPmWHKJuuWKV3dQlCNwM1jEwwxnI6MUkJT8bWPfnzMxGwlQwno46jJGZELocr1NuAB8tXa5vwOB2H9bpmdgTFd1oTig0kOpyB2QeO3KeHauyinpKo2AeTyEGxtmxBQNTMOpv9bYkIQGJE2fjppmbyiuRtVVF9YLFruX0XNwtq+M7Mqh03abAWqHn0paLGknM75rY+06Q275yCe3YdzGHG+9dtlg3yGCuIQWVu0mclm9FX438Nn1lrVOue5d94h58Q0hLzn31ceh8EP8fI8obQwCRAQDLuNgmahjguAu25k+NUNVHOZO97Tx5LKLCjBWegzcfT++f0DLku35NJWGCmawUIYVZZkzMF9BtGnQkUbS1n4dL1TLDYLLmRePLmgAgVZ4o9ld4VtXx741+cZJG4Mn5SHVt76UuCOjxXpx9xMMN9uHkC2SKhVin0ydrnrOqdtuYExnJOdqhqETuhIfCTcArOjsWvZl3FfnYlaxFVEgl3vBHaGrRduqtWzFQDadeJ2G7L7gPmKH6c1CLWUkOTa0PPsokrSVC+bdmwHKMEOjsR0pIycKJBVPttOnPft2qQnpqT3RY0BwAFY6inKF9mQKKBcecrNGo4Tm7mi/YCDLorC+Iep8iqzGUpEYv90Q+rfAnxJAffTTcUKE8zVELAYhJcTaNm/ghDTUNaFJs1lual/ifkCLLTcDfbuIszq7m0Dg4ufwjhiOmB9jPxw4GzB6oK/QwFoHirfiicZjjjKNs84icncATryqsYH/K1aGQgCsV7D6wZ7OUK3beH+GtMYonhbjEw3CBrZohrFi68yX06byJWkTNbOtJEvmsIeFuqzZKMlZwvcNocXel5I4NAP1yV6rrN2QHR/jSlyQlYErBVndS7N9NMo/iZQLvMcIOf7namihOHpOxjmUajnMSCLLcBNZR+zZqXfeP270P1wHgOqcS6GUizMjjYUfxf9C1VKw0ceAwXrNQHfIKI1c+Zk1F/Has0+0K9TgfxKgWPCkxABdkCHwmTE8nSs7F5f/M3Dpa/sMCEI69arKcdnS/hp/ype7X49w2dH7cZi0gi3y0vlgWjvIeHexpk6Ls+x7Rq8xJM+eOtgQDKa1QM0rlVipKvlS/Jos94QwtI7fVmLmzTS/Qmghp17bZSZ5V86LrwdgU51xc3ObZB6B7k0LEInua07JoMaq0TJEItgXk4YMDgzCkW+GRRP8nr4Wez7y2R354W0BQ1tFQSutIVA8hnt3wRwpaGGgYD0C2V+6TRg/gndI3QnUFY6P93YgbrWYbMypwwpKjSGU5IWZy2JF2Mf4SpCcJR4PdtCqouWjBf8IVPF+jpjD9qBle/gdbISDEYphroufn2AhQLuHmm9aDmcVCGSwRsrUMB9nx339YYffGcqCxwY4f6V+GDPgPbcKRWtTcTJWebHiaEESbe0Q3XGaimeEJ9PEvLlpLhcqTqemfXbB/Br0QaXCfuo1oaFFkobbLd4zV8R5uiMXlvGKZDZZju5be4RCY+JPvqdGNe3PqimixOo2/RfQlSTvy4z9GISYoThsN68SbVaGfZxU9uYudD9lU50g7aF11wRc+B5toq3r1sxMS8bBuZrv74lrP7x7e7+gvGcLZAYD8hjTJ0hTu2sEk1Dfz5CmoeOL9xeehiSkXM7XcK+WmSgD7QintRdSQgTyk80S/eG3ml4kGz0cfDtQvBBidefAkD5dSpm4zeO2mlBWkH9IWi8c7b0PsUt4mk/vP+ZUOUCp6jWNbfVvqKNeDWAV7qHxbMu0b2Rwlypc4CVeDnWs1O03q83eswIr53GzAEHhdKaLIunhD0NTiPzgvEClyftXv3QAAXGCgnx4dCAa70Aj9yIvEiCmgvvubE/6BP714SIa6W1ec1uhZ87BskhhTeZfljBgfJ+2ckXoV/W2I2/ayBIb36RtEx3k4DOOfsbEGzDYrhNa8pSBBYfe2qGuzGn861KMTmnJK/kqWVCS/0ZfQW4P4v0XoehGxbu9D/tLSvG/1pWKiJOIjvi4zyvuqb2i1lRX5h8aYGPQ3D9UjdX/PNdNT43WdDzqlRPdl7ef8DQ6DIaolny4bc123i04IoJF3jTvEoLzBZ9poAXXp6I/ofrmT0pReiUVP0Hk0nFf0I=', 'GCA1NPHnPoxpWFOgviZr2K7MYPBnUuuUNB15sNhmY0HLiZ5GvmvTzKP5E9bYqoDxDE6HE1ebl1tJO6b5pjMvbQ==', 'xCF96lFwQMlpyAqJJEEkh88raB10uydFprDc1Wi1PUdQE3Hu7woF/BmVCi8JuVjMlUE0SDBT14V5lFiEurl
Source: 1235.exe.9.dr, Settings.cs Base64 encoded string: 'w6lKzjnNnGgLh/ygU42y9tPfBFE58Paa4Y5HtTKCm40Y4yehqi+R4+nE0TkCfShIlKlFRabZT2TIbi+C9mqi+w==', 'idRuqMzpQRaQmVNve4JTqyxZsHwuV52FkFv9CBx5fjPco9GhNgFUF06FXdqeVtVh'
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, Settings.cs Base64 encoded string: 'w6lKzjnNnGgLh/ygU42y9tPfBFE58Paa4Y5HtTKCm40Y4yehqi+R4+nE0TkCfShIlKlFRabZT2TIbi+C9mqi+w==', 'idRuqMzpQRaQmVNve4JTqyxZsHwuV52FkFv9CBx5fjPco9GhNgFUF06FXdqeVtVh'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, nLTpG6jcEcbVhVMOwI.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, nLTpG6jcEcbVhVMOwI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 456.exe.9.dr, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 456.exe.9.dr, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1235.exe.9.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1235.exe.9.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, YMLSD2UFO0T99idHX6.cs Security API names: _0020.SetAccessControl
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, YMLSD2UFO0T99idHX6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, YMLSD2UFO0T99idHX6.cs Security API names: _0020.AddAccessRule
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, YMLSD2UFO0T99idHX6.cs Security API names: _0020.SetAccessControl
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, YMLSD2UFO0T99idHX6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, YMLSD2UFO0T99idHX6.cs Security API names: _0020.AddAccessRule
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, nLTpG6jcEcbVhVMOwI.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, nLTpG6jcEcbVhVMOwI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@38/36@2/3
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe File created: C:\Users\user\AppData\Roaming\AAkXVY.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
Source: C:\Users\user\AppData\Roaming\456.exe Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Users\user\AppData\Roaming\1235.exe Mutant created: \Sessions\1\BaseNamedObjects\yolgBkNEg1jvKfWQ
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Mutant created: \Sessions\1\BaseNamedObjects\UAFCGPwQaLdiP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\b9kP1CEzHmnrLLF0F
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe File created: C:\Users\user\AppData\Local\Temp\tmpB10A.tmp Jump to behavior
Source: LFfjUMuUFU.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LFfjUMuUFU.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: LFfjUMuUFU.exe, 00000000.00000000.1968284586.0000000000062000.00000002.00000001.01000000.00000003.sdmp, AAkXVY.exe.0.dr Binary or memory string: select * from detainedLicenses_View order by IsReleased ,DetainID;
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: LFfjUMuUFU.exe, 00000000.00000000.1968284586.0000000000062000.00000002.00000001.01000000.00000003.sdmp, AAkXVY.exe.0.dr Binary or memory string: SELECT * FROM Users WHERE Username = @Username and Password=@Password;
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: LFfjUMuUFU.exe, 00000000.00000000.1968284586.0000000000062000.00000002.00000001.01000000.00000003.sdmp, AAkXVY.exe.0.dr Binary or memory string: select TestID from Tests where TestAppointmentID=@TestAppointmentID;mSELECT * FROM TestTypes WHERE TestTypeID = @TestTypeID
Source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: LFfjUMuUFU.exe ReversingLabs: Detection: 36%
Source: LFfjUMuUFU.exe Virustotal: Detection: 41%
Source: LFfjUMuUFU.exe String found in binary or memory: $42c49fa3-77d8-41fa-a100-addbd66b9f88
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe File read: C:\Users\user\Desktop\LFfjUMuUFU.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LFfjUMuUFU.exe "C:\Users\user\Desktop\LFfjUMuUFU.exe"
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LFfjUMuUFU.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AAkXVY.exe"
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AAkXVY" /XML "C:\Users\user\AppData\Local\Temp\tmpB10A.tmp"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\AAkXVY.exe C:\Users\user\AppData\Roaming\AAkXVY.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\456.exe "C:\Users\user\AppData\Roaming\456.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\1235.exe "C:\Users\user\AppData\Roaming\1235.exe"
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\1235.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AAkXVY" /XML "C:\Users\user\AppData\Local\Temp\tmpE9DD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\456.exe "C:\Users\user\AppData\Roaming\456.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\1235.exe "C:\Users\user\AppData\Roaming\1235.exe"
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1235.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LFfjUMuUFU.exe" Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AAkXVY.exe" Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AAkXVY" /XML "C:\Users\user\AppData\Local\Temp\tmpB10A.tmp" Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\456.exe "C:\Users\user\AppData\Roaming\456.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\1235.exe "C:\Users\user\AppData\Roaming\1235.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AAkXVY" /XML "C:\Users\user\AppData\Local\Temp\tmpE9DD.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\1235.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1235.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\456.exe "C:\Users\user\AppData\Roaming\456.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\1235.exe "C:\Users\user\AppData\Roaming\1235.exe"
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\456.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\1235.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: LFfjUMuUFU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LFfjUMuUFU.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: LFfjUMuUFU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 456.exe, 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: OfXP.pdb source: LFfjUMuUFU.exe, AAkXVY.exe.0.dr
Source: Binary string: OfXP.pdbSHA256; source: LFfjUMuUFU.exe, AAkXVY.exe.0.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 1235.exe.9.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1235.exe.9.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, YMLSD2UFO0T99idHX6.cs .Net Code: akO1kxXREe System.Reflection.Assembly.Load(byte[])
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, YMLSD2UFO0T99idHX6.cs .Net Code: akO1kxXREe System.Reflection.Assembly.Load(byte[])
Source: 456.exe.9.dr, Packet.cs .Net Code: Plugins System.AppDomain.Load(byte[])
Source: 1235.exe.9.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1235.exe.9.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 1235.exe.9.dr, Messages.cs .Net Code: Memory
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 9.2.MSBuild.exe.3053078.2.raw.unpack, Messages.cs .Net Code: Memory
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Code function: 0_2_067F6207 pushad ; iretd 0_2_067F6210
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Code function: 0_2_067F75F4 push cs; ret 0_2_067F75F5
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_07658CC0 push esp; iretd 11_2_07658CC1
Source: C:\Users\user\AppData\Roaming\456.exe Code function: 11_2_076D3CBA push eax; retf 11_2_076D3CC1
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 12_2_00007FF848C400BD pushad ; iretd 12_2_00007FF848C400C1
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 12_2_00007FF848C405FA push ebx; retf 12_2_00007FF848C4060A
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 12_2_00007FF848C406A8 push ebx; retf 12_2_00007FF848C406EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FF848B3D2A5 pushad ; iretd 14_2_00007FF848B3D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FF848C500BD pushad ; iretd 14_2_00007FF848C500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FF848D22316 push 8B485F94h; iretd 14_2_00007FF848D2231B
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 20_2_00007FF848C500BD pushad ; iretd 20_2_00007FF848C500C1
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 20_2_00007FF848C505FA push ebx; retf 20_2_00007FF848C5060A
Source: C:\Users\user\AppData\Roaming\1235.exe Code function: 20_2_00007FF848C506A8 push ebx; retf 20_2_00007FF848C506EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FF848B5D2A5 pushad ; iretd 22_2_00007FF848B5D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FF848C70974 push E95B24D0h; ret 22_2_00007FF848C709C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FF848C700BD pushad ; iretd 22_2_00007FF848C700C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FF848D42316 push 8B485F92h; iretd 22_2_00007FF848D4231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_00007FF848B4D2A5 pushad ; iretd 25_2_00007FF848B4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_00007FF848C6BA7A push E85B24D7h; ret 25_2_00007FF848C6BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_00007FF848C600BD pushad ; iretd 25_2_00007FF848C600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 25_2_00007FF848D32316 push 8B485F93h; iretd 25_2_00007FF848D3231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_00007FF848B2D2A5 pushad ; iretd 27_2_00007FF848B2D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_00007FF848C419DA pushad ; ret 27_2_00007FF848C419E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_00007FF848C400BD pushad ; iretd 27_2_00007FF848C400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_00007FF848D12316 push 8B485F95h; iretd 27_2_00007FF848D1231B
Source: LFfjUMuUFU.exe Static PE information: section name: .text entropy: 7.729295745157341
Source: AAkXVY.exe.0.dr Static PE information: section name: .text entropy: 7.729295745157341
Source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, YpQXCYNKR2onvuIEdvJ.cs High entropy of concatenated method names: 'iiODKLWwON', 'SARDgcN43L', 'tPADkyCobh', 'XaTDdU3T8O', 'UR5D8PUnOG', 'NG4DFKGyAa', 'kkLD328y7T', 'VKhDMfyrYN', 'cRZDPfRyKa', 'YphDZeQowG'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, dafR7pfPvbZMQnCp1a.cs High entropy of concatenated method names: 'hwKadLUpEo', 'BLhaFq482W', 'sXAaMelv52', 'xKRaPBqFKG', 'dVSaWkg5ss', 'C6Za5yZ0sP', 'VUvaBkjYGf', 'yrtapZgQgu', 'A5waDuZKqb', 'eitabNG2Ne'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, nLTpG6jcEcbVhVMOwI.cs High entropy of concatenated method names: 'JeuOYeT8ZA', 'ThAOhX0DMS', 'gLqOfu6uQE', 'oCeONW8gFB', 'nR1OmB9tVR', 'QBKOy4WWpK', 'wlOOqELOKV', 'ul8ORheVik', 'nxgOwqkiac', 'BWuOXir9U6'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, KolvqSk5G77vLi1MrS.cs High entropy of concatenated method names: 'ea5xsAKu5O', 'YW3xOc7rN5', 'ourxJKA3mJ', 'Gmkxj2DIv7', 'RyUx4PI5Dn', 'pv1JmJFFS6', 'gc6JyLvK1y', 'i7jJqnVHW8', 'Q1gJRGD1i4', 'L7yJwHqEnx'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, w38UCa45nih6jq2Nnx.cs High entropy of concatenated method names: 'edvjrIqr2Y', 'bpKjal1LwD', 'ybxjxE0sV2', 'epHxX2wckc', 'RFQxz3IdJv', 'pYajQuiXSP', 'vWQjVO7GcS', 'oHJjCWDn9H', 'kgaj6xbcIP', 'M1Kj1aEuPr'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, R5SFLi1rjFNUNjc8ms.cs High entropy of concatenated method names: 'LXWWEpUblP', 'qOhWLOOinU', 'xiNWYL5qTr', 'eh1Wh5NZwg', 'vetWT88sSl', 'fSKWUYsxDc', 'QcJWiN5xhi', 'VL2WeYsZDn', 'kt7W9aqbuR', 'qK6WcDgrPs'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, edqFnPbfSYxXpVaq6g.cs High entropy of concatenated method names: 'PQxjKWjaeY', 'dMejgv9A8Y', 'xmKjk2Nv6O', 'EodjdAZleP', 'YaUj8ESfdH', 'S8OjFVngN9', 'cLVj3WZ6J3', 'ODXjMXY5VN', 'gPXjPa016j', 'BxTjZCxf6A'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, htgsnrzBWrynKMG00G.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GoJDASGNuJ', 'GI7DWIVTre', 'VRPD5H5hB5', 'DFnDBvuwte', 'lePDpabK2N', 'qkHDDfvGMB', 'twaDbetSYg'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, lc53UKdsLNMA9JB3tX.cs High entropy of concatenated method names: 'tNSpr49hL1', 'i9TpOXMlo3', 'VV8paexS4q', 'mxvpJVbfnF', 'r0TpxsGmCJ', 'Cn8pjj9f5E', 'zapp4k7WKE', 'tTkpuXqZVc', 'BUJp7mwMJo', 'p5vpndHVpy'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, mUHQmZCknomYEvrkk0.cs High entropy of concatenated method names: 'hVMB7qK9cM', 'uGwBnbTHMl', 'ToString', 'QVUBrABirD', 'Y0hBOfiN0Q', 'ytmBaJE0Y0', 'zb9BJkVQOs', 'kmLBxrvqxD', 'cEdBjmYaOA', 'aAxB42Ykim'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, CyPIduLoxJpeBBAfvX.cs High entropy of concatenated method names: 'Dispose', 'pmGVwXQJny', 'kQMCTJe40p', 'V3Ktth4qYy', 'yjaVXRI5Sb', 'LP3VzJonot', 'ProcessDialogKey', 'WYiCQkltr0', 'DYVCVkpSij', 'uZiCCdJdBW'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, CVjSrVxFOdf9wypesY.cs High entropy of concatenated method names: 'GdiVjrR4RV', 'XsZV44Jp69', 'duwV7PSao2', 'sh0Vn9QUQw', 'kTtVW5vdJK', 'PUqV5xAm14', 'AoQNLKQepxB8kfPOEL', 'WijSFv7XBUTVC6yYG3', 'VcTVVZbMOk', 'mL8V6EqK8o'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, WktbQ1ZGL66J15aMt4.cs High entropy of concatenated method names: 'LQgkvekCi', 'dnOdxET9Q', 'wgJFmjNIK', 'dpb3oOhl1', 'r7oPwZkrM', 'OgmZDcUFH', 'MOlGuUhiknE1OGymES', 'AoCos6gJ2AvGbOJuAE', 'QcQpldeKx', 'V88bjm9iA'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, EB3R8YlF9rqSiDCTYe.cs High entropy of concatenated method names: 'NT7J897ZG3', 'wXGJ3Ar3Aq', 'VTSaUTuDcw', 'uaAaiNNQYr', 'jJ6ae3GQyn', 'AKxa9HYM4y', 'kIGacOnjUC', 'gDLa0twIWo', 'q0VaGCHtJW', 'TD0aEJElFo'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, aDRSKmNvJ99wSraNTwM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TNpbYtrMVm', 'RBkbhJIR8E', 'H24bfGpmtq', 'INibNRjH4X', 'UwQbmZipea', 'zKMbyoyegJ', 'Pp7bqe3t20'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, rG2gor5r6Pt1LhjWVK.cs High entropy of concatenated method names: 'Q8UAMLZceT', 'LKmAPHXDTo', 'jkBAlwO51o', 'XeTATM0ZFo', 'VgdAioWx1G', 'mCmAeIHJvb', 'IaYAcbnJ85', 'KTYA0rF0sm', 'PBbAEb0hq1', 'xeCAooSULX'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, T58wHXD28xKcOU9EyV.cs High entropy of concatenated method names: 'G9QDVVuVXR', 'UsWD6BHfj4', 'TWUD14bEcT', 'fCrDr9vosn', 'i2MDOMkVlK', 'I7qDJ146bH', 'r82Dxx4kch', 'vLWpqBR5Px', 'tb7pRFJyNr', 'iCjpw2WEqB'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, WFfdOltsu2FI3m1RTj.cs High entropy of concatenated method names: 'Rsmpl6ECrL', 'mGqpT82gN4', 'm7qpUJLbj1', 'dFRpiyBj7T', 'WrupYh4Od0', 'Xv2pe6EAQx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, YMLSD2UFO0T99idHX6.cs High entropy of concatenated method names: 'bA66sUIq5c', 'zEU6rGix0s', 'gfn6ObGVvH', 'cNg6aH7MKk', 'BM06JVgaas', 'eie6xj9S0K', 'PjU6jIBeA3', 'wdu64ITDRs', 'SFg6ulkgP2', 'AyS67UF03D'
Source: 0.2.LFfjUMuUFU.exe.7040000.11.raw.unpack, DGvAlgE9OTHwRX5g1i.cs High entropy of concatenated method names: 'zpHBRIyKls', 'RQ7BX1sZu2', 'Lu8pQZn7TN', 'mL0pVNBfMP', 'aELBo3d4Xc', 'KvkBLon23Q', 'nupB2xZo0p', 'ObPBYppfPA', 'QFJBh9OpYt', 's58Bfmkvss'
Source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, YpQXCYNKR2onvuIEdvJ.cs High entropy of concatenated method names: 'iiODKLWwON', 'SARDgcN43L', 'tPADkyCobh', 'XaTDdU3T8O', 'UR5D8PUnOG', 'NG4DFKGyAa', 'kkLD328y7T', 'VKhDMfyrYN', 'cRZDPfRyKa', 'YphDZeQowG'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, dafR7pfPvbZMQnCp1a.cs High entropy of concatenated method names: 'hwKadLUpEo', 'BLhaFq482W', 'sXAaMelv52', 'xKRaPBqFKG', 'dVSaWkg5ss', 'C6Za5yZ0sP', 'VUvaBkjYGf', 'yrtapZgQgu', 'A5waDuZKqb', 'eitabNG2Ne'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, nLTpG6jcEcbVhVMOwI.cs High entropy of concatenated method names: 'JeuOYeT8ZA', 'ThAOhX0DMS', 'gLqOfu6uQE', 'oCeONW8gFB', 'nR1OmB9tVR', 'QBKOy4WWpK', 'wlOOqELOKV', 'ul8ORheVik', 'nxgOwqkiac', 'BWuOXir9U6'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, KolvqSk5G77vLi1MrS.cs High entropy of concatenated method names: 'ea5xsAKu5O', 'YW3xOc7rN5', 'ourxJKA3mJ', 'Gmkxj2DIv7', 'RyUx4PI5Dn', 'pv1JmJFFS6', 'gc6JyLvK1y', 'i7jJqnVHW8', 'Q1gJRGD1i4', 'L7yJwHqEnx'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, w38UCa45nih6jq2Nnx.cs High entropy of concatenated method names: 'edvjrIqr2Y', 'bpKjal1LwD', 'ybxjxE0sV2', 'epHxX2wckc', 'RFQxz3IdJv', 'pYajQuiXSP', 'vWQjVO7GcS', 'oHJjCWDn9H', 'kgaj6xbcIP', 'M1Kj1aEuPr'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, R5SFLi1rjFNUNjc8ms.cs High entropy of concatenated method names: 'LXWWEpUblP', 'qOhWLOOinU', 'xiNWYL5qTr', 'eh1Wh5NZwg', 'vetWT88sSl', 'fSKWUYsxDc', 'QcJWiN5xhi', 'VL2WeYsZDn', 'kt7W9aqbuR', 'qK6WcDgrPs'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, edqFnPbfSYxXpVaq6g.cs High entropy of concatenated method names: 'PQxjKWjaeY', 'dMejgv9A8Y', 'xmKjk2Nv6O', 'EodjdAZleP', 'YaUj8ESfdH', 'S8OjFVngN9', 'cLVj3WZ6J3', 'ODXjMXY5VN', 'gPXjPa016j', 'BxTjZCxf6A'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, htgsnrzBWrynKMG00G.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GoJDASGNuJ', 'GI7DWIVTre', 'VRPD5H5hB5', 'DFnDBvuwte', 'lePDpabK2N', 'qkHDDfvGMB', 'twaDbetSYg'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, lc53UKdsLNMA9JB3tX.cs High entropy of concatenated method names: 'tNSpr49hL1', 'i9TpOXMlo3', 'VV8paexS4q', 'mxvpJVbfnF', 'r0TpxsGmCJ', 'Cn8pjj9f5E', 'zapp4k7WKE', 'tTkpuXqZVc', 'BUJp7mwMJo', 'p5vpndHVpy'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, mUHQmZCknomYEvrkk0.cs High entropy of concatenated method names: 'hVMB7qK9cM', 'uGwBnbTHMl', 'ToString', 'QVUBrABirD', 'Y0hBOfiN0Q', 'ytmBaJE0Y0', 'zb9BJkVQOs', 'kmLBxrvqxD', 'cEdBjmYaOA', 'aAxB42Ykim'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, CyPIduLoxJpeBBAfvX.cs High entropy of concatenated method names: 'Dispose', 'pmGVwXQJny', 'kQMCTJe40p', 'V3Ktth4qYy', 'yjaVXRI5Sb', 'LP3VzJonot', 'ProcessDialogKey', 'WYiCQkltr0', 'DYVCVkpSij', 'uZiCCdJdBW'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, CVjSrVxFOdf9wypesY.cs High entropy of concatenated method names: 'GdiVjrR4RV', 'XsZV44Jp69', 'duwV7PSao2', 'sh0Vn9QUQw', 'kTtVW5vdJK', 'PUqV5xAm14', 'AoQNLKQepxB8kfPOEL', 'WijSFv7XBUTVC6yYG3', 'VcTVVZbMOk', 'mL8V6EqK8o'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, WktbQ1ZGL66J15aMt4.cs High entropy of concatenated method names: 'LQgkvekCi', 'dnOdxET9Q', 'wgJFmjNIK', 'dpb3oOhl1', 'r7oPwZkrM', 'OgmZDcUFH', 'MOlGuUhiknE1OGymES', 'AoCos6gJ2AvGbOJuAE', 'QcQpldeKx', 'V88bjm9iA'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, EB3R8YlF9rqSiDCTYe.cs High entropy of concatenated method names: 'NT7J897ZG3', 'wXGJ3Ar3Aq', 'VTSaUTuDcw', 'uaAaiNNQYr', 'jJ6ae3GQyn', 'AKxa9HYM4y', 'kIGacOnjUC', 'gDLa0twIWo', 'q0VaGCHtJW', 'TD0aEJElFo'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, aDRSKmNvJ99wSraNTwM.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TNpbYtrMVm', 'RBkbhJIR8E', 'H24bfGpmtq', 'INibNRjH4X', 'UwQbmZipea', 'zKMbyoyegJ', 'Pp7bqe3t20'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, rG2gor5r6Pt1LhjWVK.cs High entropy of concatenated method names: 'Q8UAMLZceT', 'LKmAPHXDTo', 'jkBAlwO51o', 'XeTATM0ZFo', 'VgdAioWx1G', 'mCmAeIHJvb', 'IaYAcbnJ85', 'KTYA0rF0sm', 'PBbAEb0hq1', 'xeCAooSULX'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, T58wHXD28xKcOU9EyV.cs High entropy of concatenated method names: 'G9QDVVuVXR', 'UsWD6BHfj4', 'TWUD14bEcT', 'fCrDr9vosn', 'i2MDOMkVlK', 'I7qDJ146bH', 'r82Dxx4kch', 'vLWpqBR5Px', 'tb7pRFJyNr', 'iCjpw2WEqB'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, WFfdOltsu2FI3m1RTj.cs High entropy of concatenated method names: 'Rsmpl6ECrL', 'mGqpT82gN4', 'm7qpUJLbj1', 'dFRpiyBj7T', 'WrupYh4Od0', 'Xv2pe6EAQx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, YMLSD2UFO0T99idHX6.cs High entropy of concatenated method names: 'bA66sUIq5c', 'zEU6rGix0s', 'gfn6ObGVvH', 'cNg6aH7MKk', 'BM06JVgaas', 'eie6xj9S0K', 'PjU6jIBeA3', 'wdu64ITDRs', 'SFg6ulkgP2', 'AyS67UF03D'
Source: 0.2.LFfjUMuUFU.exe.3906490.6.raw.unpack, DGvAlgE9OTHwRX5g1i.cs High entropy of concatenated method names: 'zpHBRIyKls', 'RQ7BX1sZu2', 'Lu8pQZn7TN', 'mL0pVNBfMP', 'aELBo3d4Xc', 'KvkBLon23Q', 'nupB2xZo0p', 'ObPBYppfPA', 'QFJBh9OpYt', 's58Bfmkvss'
Source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Roaming\456.exe Jump to dropped file
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe File created: C:\Users\user\AppData\Roaming\AAkXVY.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Roaming\1235.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AAkXVY" /XML "C:\Users\user\AppData\Local\Temp\tmpB10A.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Stores large binary data to the registry
Source: C:\Users\user\AppData\Roaming\456.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\742D0701C511376451FD 648D1D9E4AE2F0DC8C47BA685FB1523F0B37AA06CE6AA7F4D08C04AD7F0B55D4 Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\1235.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: LFfjUMuUFU.exe PID: 5844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AAkXVY.exe PID: 3996, type: MEMORYSTR
Yara detected AsyncRAT
Source: Yara match File source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MSBuild.exe, 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 456.exe, 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, 456.exe.9.dr Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: 740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: 2550000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: 70C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: 80C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: 8360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: 9360000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 12D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 3030000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: 1530000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: 31C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: 51C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: 7980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: 8980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: 8C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: 9C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Memory allocated: 1210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Memory allocated: 2D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Memory allocated: 2B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Memory allocated: 1560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\1235.exe Memory allocated: 1B110000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 12A0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2E90000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4E90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\456.exe Memory allocated: 15A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\456.exe Memory allocated: 2F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\456.exe Memory allocated: 15A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\1235.exe Memory allocated: B70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\1235.exe Memory allocated: 1A6C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\456.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\1235.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4401 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6143 Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Window / User API: threadDelayed 7386 Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Window / User API: threadDelayed 2239 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8186
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1372
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9275
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8451
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1066
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8577
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1051
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe TID: 6968 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5264 Thread sleep count: 4401 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6484 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3032 Thread sleep count: 178 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3596 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1960 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1288 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3172 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe TID: 4204 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe TID: 5360 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084 Thread sleep count: 8186 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 768 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084 Thread sleep count: 1372 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6764 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\456.exe TID: 5840 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\1235.exe TID: 6444 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2232 Thread sleep count: 9275 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4996 Thread sleep count: 8451 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2780 Thread sleep count: 1066 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3136 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3596 Thread sleep count: 8577 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5976 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5552 Thread sleep count: 1051 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\456.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\456.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\1235.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\456.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\1235.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: MSBuild.exe, 00000009.00000002.2012159817.0000000001327000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: AAkXVY.exe, 0000000A.00000002.2195456128.0000000001661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 456.exe.9.dr Binary or memory string: vmware
Source: AAkXVY.exe, 0000000A.00000002.2195456128.0000000001661000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{T
Source: 456.exe, 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $cq,gs0gnSjSNM4+8CYNva87VU6tWvx/lSPh5QO+/RcNJRNbKkXVCeQoHQeTrUMZ46sk1RAZs4//V9ujM5wPmi7oiZO0ykuaXdaVh1r6PksVvah8z4wFY1EoLewJNtsRk4+gm09Hht/OMTecyPubyVc5em0E1LN4EEPFnVn784cAetxmL0L7MsFFvx8Z+G3Bv7+tby8znYV+Ep1zkfffw1FMa+a/EDr8PevPmWHKJuuWKV3dQlCNwM1jEwwxnI6MUkJT8bWPfnzMxGwlQwno46jJGZELocr1NuAB8tXa5vwOB2H9bpmdgTFd1oTig0kOpyB2QeO3KeHauyinpKo2AeTyEGxtmxBQNTMOpv9bYkIQGJE2fjppmbyiuRtVVF9YLFruX0XNwtq+M7Mqh03abAWqHn0paLGknM75rY+06Q275yCe3YdzGHG+9dtlg3yGCuIQWVu0mclm9FX438Nn1lrVOue5d94h58Q0hLzn31ceh8EP8fI8obQwCRAQDLuNgmahjguAu25k+NUNVHOZO97Tx5LKLCjBWegzcfT++f0DLku35NJWGCmawUIYVZZkzMF9BtGnQkUbS1n4dL1TLDYLLmRePLmgAgVZ4o9ld4VtXx741+cZJG4Mn5SHVt76UuCOjxXpx9xMMN9uHkC2SKhVin0ydrnrOqdtuYExnJOdqhqETuhIfCTcArOjsWvZl3FfnYlaxFVEgl3vBHaGrRduqtWzFQDadeJ2G7L7gPmKH6c1CLWUkOTa0PPsokrSVC+bdmwHKMEOjsR0pIycKJBVPttOnPft2qQnpqT3RY0BwAFY6inKF9mQKKBcecrNGo4Tm7mi/YCDLorC+Iep8iqzGUpEYv90Q+rfAnxJAffTTcUKE8zVELAYhJcTaNm/ghDTUNaFJs1lual/ifkCLLTcDfbuIszq7m0Dg4ufwjhiOmB9jPxw4GzB6oK/QwFoHirfiicZjjjKNs84icncATryqsYH/K1aGQgCsV7D6wZ7OUK3beH+GtMYonhbjEw3CBrZohrFi68yX06byJWkTNbOtJEvmsIeFuqzZKMlZwvcNocXel5I4NAP1yV6rrN2QHR/jSlyQlYErBVndS7N9NMo/iZQLvMcIOf7namihOHpOxjmUajnMSCLLcBNZR+zZqXfeP270P1wHgOqcS6GUizMjjYUfxf9C1VKw0ceAwXrNQHfIKI1c+Zk1F/Has0+0K9TgfxKgWPCkxABdkCHwmTE8nSs7F5f/M3Dpa/sMCEI69arKcdnS/hp/ype7X49w2dH7cZi0gi3y0vlgWjvIeHexpk6Ls+x7Rq8xJM+eOtgQDKa1QM0rlVipKvlS/Jos94QwtI7fVmLmzTS/Qmghp17bZSZ5V86LrwdgU51xc3ObZB6B7k0LEInua07JoMaq0TJEItgXk4YMDgzCkW+GRRP8nr4Wez7y2R354W0BQ1tFQSutIVA8hnt3wRwpaGGgYD0C2V+6TRg/gndI3QnUFY6P93YgbrWYbMypwwpKjSGU5IWZy2JF2Mf4SpCcJR4PdtCqouWjBf8IVPF+jpjD9qBle/gdbISDEYphroufn2AhQLuHmm9aDmcVCGSwRsrUMB9nx339YYffGcqCxwY4f6V+GDPgPbcKRWtTcTJWebHiaEESbe0Q3XGaimeEJ9PEvLlpLhcqTqemfXbB/Br0QaXCfuo1oaFFkobbLd4zV8R5uiMXlvGKZDZZju5be4RCY+JPvqdGNe3PqimixOo2/RfQlSTvy4z9GISYoThsN68SbVaGfZxU9uYudD9lU50g7aF11wRc+B5toq3r1sxMS8bBuZrv74lrP7x7e7+gvGcLZAYD8hjTJ0hTu2sEk1Dfz5CmoeOL9xeehiSkXM7XcK+WmSgD7QintRdSQgTyk80S/eG3ml4kGz0cfDtQvBBidefAkD5dSpm4zeO2mlBWkH9IWi8c7b0PsUt4mk/vP+ZUOUCp6jWNbfVvqKNeDWAV7qHxbMu0b2Rwlypc4CVeDnWs1O03q83eswIr53GzAEHhdKaLIunhD0NTiPzgvEClyftXv3QAAXGCgnx4dCAa70Aj9yIvEiCmgvvubE/6BP714SIa6W1ec1uhZ87BskhhTeZfljBgfJ+2ckXoV/W2I2/ayBIb36RtEx3k4DOOfsbEGzDYrhNa8pSBBYfe2qGuzGn861KMTmnJK/kqWVCS/0ZfQW4P4v0XoehGxbu9D/tLSvG/1pWKiJOIjvi4zyvuqb2i1lRX5h8aYGPQ3D9UjdX/PNdNT43WdDzqlRPdl7ef8DQ6DIaolny4bc123i04IoJF3jTvEoLzBZ9poAXXp6I/ofrmT0pReiUVP0Hk0nFf0I=
Source: MSBuild.exe, 00000012.00000002.2152966455.00000000012F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 456.exe.9.dr Binary or memory string: Ygs0gnSjSNM4+8CYNva87VU6tWvx/lSPh5QO+/RcNJRNbKkXVCeQoHQeTrUMZ46sk1RAZs4//V9ujM5wPmi7oiZO0ykuaXdaVh1r6PksVvah8z4wFY1EoLewJNtsRk4+gm09Hht/OMTecyPubyVc5em0E1LN4EEPFnVn784cAetxmL0L7MsFFvx8Z+G3Bv7+tby8znYV+Ep1zkfffw1FMa+a/EDr8PevPmWHKJuuWKV3dQlCNwM1jEwwxnI6MUkJT8bWPfnzMxGwlQwno46jJGZELocr1NuAB8tXa5vwOB2H9bpmdgTFd1oTig0kOpyB2QeO3KeHauyinpKo2AeTyEGxtmxBQNTMOpv9bYkIQGJE2fjppmbyiuRtVVF9YLFruX0XNwtq+M7Mqh03abAWqHn0paLGknM75rY+06Q275yCe3YdzGHG+9dtlg3yGCuIQWVu0mclm9FX438Nn1lrVOue5d94h58Q0hLzn31ceh8EP8fI8obQwCRAQDLuNgmahjguAu25k+NUNVHOZO97Tx5LKLCjBWegzcfT++f0DLku35NJWGCmawUIYVZZkzMF9BtGnQkUbS1n4dL1TLDYLLmRePLmgAgVZ4o9ld4VtXx741+cZJG4Mn5SHVt76UuCOjxXpx9xMMN9uHkC2SKhVin0ydrnrOqdtuYExnJOdqhqETuhIfCTcArOjsWvZl3FfnYlaxFVEgl3vBHaGrRduqtWzFQDadeJ2G7L7gPmKH6c1CLWUkOTa0PPsokrSVC+bdmwHKMEOjsR0pIycKJBVPttOnPft2qQnpqT3RY0BwAFY6inKF9mQKKBcecrNGo4Tm7mi/YCDLorC+Iep8iqzGUpEYv90Q+rfAnxJAffTTcUKE8zVELAYhJcTaNm/ghDTUNaFJs1lual/ifkCLLTcDfbuIszq7m0Dg4ufwjhiOmB9jPxw4GzB6oK/QwFoHirfiicZjjjKNs84icncATryqsYH/K1aGQgCsV7D6wZ7OUK3beH+GtMYonhbjEw3CBrZohrFi68yX06byJWkTNbOtJEvmsIeFuqzZKMlZwvcNocXel5I4NAP1yV6rrN2QHR/jSlyQlYErBVndS7N9NMo/iZQLvMcIOf7namihOHpOxjmUajnMSCLLcBNZR+zZqXfeP270P1wHgOqcS6GUizMjjYUfxf9C1VKw0ceAwXrNQHfIKI1c+Zk1F/Has0+0K9TgfxKgWPCkxABdkCHwmTE8nSs7F5f/M3Dpa/sMCEI69arKcdnS/hp/ype7X49w2dH7cZi0gi3y0vlgWjvIeHexpk6Ls+x7Rq8xJM+eOtgQDKa1QM0rlVipKvlS/Jos94QwtI7fVmLmzTS/Qmghp17bZSZ5V86LrwdgU51xc3ObZB6B7k0LEInua07JoMaq0TJEItgXk4YMDgzCkW+GRRP8nr4Wez7y2R354W0BQ1tFQSutIVA8hnt3wRwpaGGgYD0C2V+6TRg/gndI3QnUFY6P93YgbrWYbMypwwpKjSGU5IWZy2JF2Mf4SpCcJR4PdtCqouWjBf8IVPF+jpjD9qBle/gdbISDEYphroufn2AhQLuHmm9aDmcVCGSwRsrUMB9nx339YYffGcqCxwY4f6V+GDPgPbcKRWtTcTJWebHiaEESbe0Q3XGaimeEJ9PEvLlpLhcqTqemfXbB/Br0QaXCfuo1oaFFkobbLd4zV8R5uiMXlvGKZDZZju5be4RCY+JPvqdGNe3PqimixOo2/RfQlSTvy4z9GISYoThsN68SbVaGfZxU9uYudD9lU50g7aF11wRc+B5toq3r1sxMS8bBuZrv74lrP7x7e7+gvGcLZAYD8hjTJ0hTu2sEk1Dfz5CmoeOL9xeehiSkXM7XcK+WmSgD7QintRdSQgTyk80S/eG3ml4kGz0cfDtQvBBidefAkD5dSpm4zeO2mlBWkH9IWi8c7b0PsUt4mk/vP+ZUOUCp6jWNbfVvqKNeDWAV7qHxbMu0b2Rwlypc4CVeDnWs1O03q83eswIr53GzAEHhdKaLIunhD0NTiPzgvEClyftXv3QAAXGCgnx4dCAa70Aj9yIvEiCmgvvubE/6BP714SIa6W1ec1uhZ87BskhhTeZfljBgfJ+2ckXoV/W2I2/ayBIb36RtEx3k4DOOfsbEGzDYrhNa8pSBBYfe2qGuzGn861KMTmnJK/kqWVCS/0ZfQW4P4v0XoehGxbu9D/tLSvG/1pWKiJOIjvi4zyvuqb2i1lRX5h8aYGPQ3D9UjdX/PNdNT43WdDzqlRPdl7ef8DQ6DIaolny4bc123i04IoJF3jTvEoLzBZ9poAXXp6I/ofrmT0pReiUVP0Hk0nFf0I=
Source: 456.exe, 00000013.00000002.2268754749.0000000002F31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $cq,gs0gnSjSNM4+8CYNva87VU6tWvx/lSPh5QO+/RcNJRNbKkXVCeQoHQeTrUMZ46sk1RAZs4//V9ujM5wPmi7oiZO0ykuaXdaVh1r6PksVvah8z4wFY1EoLewJNtsRk4+gm09Hht/OMTecyPubyVc5em0E1LN4EEPFnVn784cAetxmL0L7MsFFvx8Z+G3Bv7+tby8znYV+Ep1zkfffw1FMa+a/EDr8PevPmWHKJuuWKV3dQlCNwM1jEwwxnI6MUkJT8bWPfnzMxGwlQwno46jJGZELocr1NuAB8tXa5vwOB2H9bpmdgTFd1oTig0kOpyB2QeO3KeHauyinpKo2AeTyEGxtmxBQNTMOpv9bYkIQGJE2fjppmbyiuRtVVF9YLFruX0XNwtq+M7Mqh03abAWqHn0paLGknM75rY+06Q275yCe3YdzGHG+9dtlg3yGCuIQWVu0mclm9FX438Nn1lrVOue5d94h58Q0hLzn31ceh8EP8fI8obQwCRAQDLuNgmahjguAu25k+NUNVHOZO97Tx5LKLCjBWegzcfT++f0DLku35NJWGCmawUIYVZZkzMF9BtGnQkUbS1n4dL1TLDYLLmRePLmgAgVZ4o9ld4VtXx741+cZJG4Mn5SHVt76UuCOjxXpx9xMMN9uHkC2SKhVin0ydrnrOqdtuYExnJOdqhqETuhIfCTcArOjsWvZl3FfnYlaxFVEgl3vBHaGrRduqtWzFQDadeJ2G7L7gPmKH6c1CLWUkOTa0PPsokrSVC+bdmwHKMEOjsR0pIycKJBVPttOnPft2qQnpqT3RY0BwAFY6inKF9mQKKBcecrNGo4Tm7mi/YCDLorC+Iep8iqzGUpEYv90Q+rfAnxJAffTTcUKE8zVELAYhJcTaNm/ghDTUNaFJs1lual/ifkCLLTcDfbuIszq7m0Dg4ufwjhiOmB9jPxw4GzB6oK/QwFoHirfiicZjjjKNs84icncATryqsYH/K1aGQgCsV7D6wZ7OUK3beH+GtMYonhbjEw3CBrZohrFi68yX06byJWkTNbOtJEvmsIeFuqzZKMlZwvcNocXel5I4NAP1yV6rrN2QHR/jSlyQlYErBVndS7N9NMo/iZQLvMcIOf7namihOHpOxjmUajnMSCLLcBNZR+zZqXfeP270P1wHgOqcS6GUizMjjYUfxf9C1VKw0ceAwXrNQHfIKI1c+Zk1F/Has0+0K9TgfxKgWPCkxABdkCHwmTE8nSs7F5f/M3Dpa/sMCEI69arKcdnS/hp/ype7X49w2dH7cZi0gi3y0vlgWjvIeHexpk6Ls+x7Rq8xJM+eOtgQDKa1QM0rlVipKvlS/Jos94QwtI7fVmLmzTS/Qmghp17bZSZ5V86LrwdgU51xc3ObZB6B7k0LEInua07JoMaq0TJEItgXk4YMDgzCkW+GRRP8nr4Wez7y2R354W0BQ1tFQSutIVA8hnt3wRwpaGGgYD0C2V+6TRg/gndI3QnUFY6P93YgbrWYbMypwwpKjSGU5IWZy2JF2Mf4SpCcJR4PdtCqouWjBf8IVPF+jpjD9qBle/gdbISDEYphroufn2AhQLuHmm9aDmcVCGSwRsrUMB9nx339YYffGcqCxwY4f6V+GDPgPbcKRWtTcTJWebHiaEESbe0Q3XGaimeEJ9PEvLlpLhcqTqemfXbB/Br0QaXCfuo1oaFFkobbLd4zV8R5uiMXlvGKZDZZju5be4RCY+JPvqdGNe3PqimixOo2/RfQlSTvy4z9GISYoThsN68SbVaGfZxU9uYudD9lU50g7aF11wRc+B5toq3r1sxMS8bBuZrv74lrP7x7e7+gvGcLZAYD8hjTJ0hTu2sEk1Dfz5CmoeOL9xeehiSkXM7XcK+WmSgD7QintRdSQgTyk80S/eG3ml4kGz0cfDtQvBBidefAkD5dSpm4zeO2mlBWkH9IWi8c7b0PsUt4mk/vP+ZUOUCp6jWNbfVvqKNeDWAV7qHxbMu0b2Rwlypc4CVeDnWs1O03q83eswIr53GzAEHhdKaLIunhD0NTiPzgvEClyftXv3QAAXGCgnx4dCAa70Aj9yIvEiCmgvvubE/6BP714SIa6W1ec1uhZ87BskhhTeZfljBgfJ+2ckXoV/W2I2/ayBIb36RtEx3k4DOOfsbEGzDYrhNa8pSBBYfe2qGuzGn861KMTmnJK/kqWVCS/0ZfQW4P4v0XoehGxbu9D/tLSvG/1pWKiJOIjvi4zyvuqb2i1lRX5h8aYGPQ3D9UjdX/PNdNT43WdDzqlRPdl7ef8DQ6DIaolny4bc123i04IoJF3jTvEoLzBZ9poAXXp6I/ofrmT0pReiUVP0Hk0nFf0I=KNH
Source: 456.exe, 0000000B.00000002.3398649290.00000000051A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LFfjUMuUFU.exe"
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AAkXVY.exe"
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\1235.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LFfjUMuUFU.exe" Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AAkXVY.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\1235.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\1235.exe'
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000 Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000 Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FEE008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DD1008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LFfjUMuUFU.exe" Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AAkXVY.exe" Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AAkXVY" /XML "C:\Users\user\AppData\Local\Temp\tmpB10A.tmp" Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\456.exe "C:\Users\user\AppData\Roaming\456.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\1235.exe "C:\Users\user\AppData\Roaming\1235.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AAkXVY" /XML "C:\Users\user\AppData\Local\Temp\tmpE9DD.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\1235.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1235.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Roaming\1235.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\456.exe "C:\Users\user\AppData\Roaming\456.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Users\user\AppData\Roaming\1235.exe "C:\Users\user\AppData\Roaming\1235.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Queries volume information: C:\Users\user\Desktop\LFfjUMuUFU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Queries volume information: C:\Users\user\AppData\Roaming\AAkXVY.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\AAkXVY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Users\user\AppData\Roaming\456.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\1235.exe Queries volume information: C:\Users\user\AppData\Roaming\1235.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\456.exe Queries volume information: C:\Users\user\AppData\Roaming\456.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\1235.exe Queries volume information: C:\Users\user\AppData\Roaming\1235.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\LFfjUMuUFU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 11.0.456.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2007187382.00000000009A2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3354395323.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\456.exe, type: DROPPED
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\456.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 10.2.AAkXVY.exe.32177e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.25a77c8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.2596b50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.3d69d70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.3d69d70.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.7300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.67f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3206b68.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.32177e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3206b68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.31e464c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.7300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.2574634.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3456d68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3459d98.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.27e6d08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.27e9d38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3457d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.27e7d20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2203533506.000000000342F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2062419285.00000000067F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203533506.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047181888.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3417677870.0000000007300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3395591047.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047181888.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4712, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 9.2.MSBuild.exe.3047c50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eb59e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3053078.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eaa5c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1235.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 11.2.456.exe.7364216.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.7364216.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.7340000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.7340000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3419628057.0000000007340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 456.exe PID: 6660, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 10.2.AAkXVY.exe.32177e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.25a77c8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.2596b50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.3d69d70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.3d69d70.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.25a77c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.7300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.67f0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3206b68.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.67f0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.32177e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3206b68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.2596b50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.31e464c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.456.exe.7300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.2574634.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3456d68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3459d98.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.27e6d08.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.27e9d38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.AAkXVY.exe.3457d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LFfjUMuUFU.exe.27e7d20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2203533506.000000000342F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2062419285.00000000067F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203533506.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047181888.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3417677870.0000000007300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3395591047.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2047181888.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4712, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 9.2.MSBuild.exe.3047c50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.1235.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eb59e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3053078.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eaa5c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eaa5c0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3053078.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.MSBuild.exe.2eb59e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSBuild.exe.3047c50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.2008108195.0000000000E12000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2014527353.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2158028253.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1235.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 4712, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\1235.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436255 Sample: LFfjUMuUFU.exe Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 79 api.telegram.org 2->79 81 beshomandotestbesnd.run.place 2->81 89 Snort IDS alert for network traffic 2->89 91 Multi AV Scanner detection for domain / URL 2->91 93 Found malware configuration 2->93 97 18 other signatures 2->97 10 LFfjUMuUFU.exe 7 2->10         started        14 AAkXVY.exe 5 2->14         started        signatures3 95 Uses the Telegram API (likely for C&C communication) 79->95 process4 file5 69 C:\Users\user\AppData\Roaming\AAkXVY.exe, PE32 10->69 dropped 71 C:\Users\user\AppData\Local\...\tmpB10A.tmp, XML 10->71 dropped 99 Uses schtasks.exe or at.exe to add and modify task schedules 10->99 101 Writes to foreign memory regions 10->101 103 Allocates memory in foreign processes 10->103 105 Adds a directory exclusion to Windows Defender 10->105 16 MSBuild.exe 4 10->16         started        20 powershell.exe 23 10->20         started        22 powershell.exe 23 10->22         started        24 schtasks.exe 1 10->24         started        107 Multi AV Scanner detection for dropped file 14->107 109 Machine Learning detection for dropped file 14->109 111 Injects a PE file into a foreign processes 14->111 26 MSBuild.exe 14->26         started        28 schtasks.exe 14->28         started        signatures6 process7 file8 65 C:\Users\user\AppData\Roaming\456.exe, PE32 16->65 dropped 67 C:\Users\user\AppData\Roaming\1235.exe, PE32 16->67 dropped 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->85 30 1235.exe 16->30         started        33 456.exe 1 2 16->33         started        87 Loading BitLocker PowerShell Module 20->87 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 456.exe 26->42         started        44 1235.exe 26->44         started        46 conhost.exe 28->46         started        signatures9 process10 dnsIp11 113 Antivirus detection for dropped file 30->113 115 Multi AV Scanner detection for dropped file 30->115 117 Machine Learning detection for dropped file 30->117 121 2 other signatures 30->121 48 powershell.exe 30->48         started        51 powershell.exe 30->51         started        53 powershell.exe 30->53         started        55 powershell.exe 30->55         started        73 45.61.150.201, 49710, 7707 QUICKPACKETUS United States 33->73 75 beshomandotestbesnd.run.place 45.88.186.125, 49718, 49719, 49722 ANONYMIZEEpikNetworkCH Netherlands 33->75 77 127.0.0.1 unknown unknown 33->77 119 Protects its processes via BreakOnTermination flag 33->119 signatures12 process13 signatures14 83 Loading BitLocker PowerShell Module 48->83 57 conhost.exe 48->57         started        59 conhost.exe 51->59         started        61 conhost.exe 53->61         started        63 conhost.exe 55->63         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.61.150.201
 unknown United States
46261 QUICKPACKETUS true
45.88.186.125
 beshomandotestbesnd.run.place Netherlands
34962 ANONYMIZEEpikNetworkCH true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
beshomandotestbesnd.run.place 45.88.186.125 true
api.telegram.org 149.154.167.220 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
beshomandotestbesnd.run.place true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
45.61.150.201 true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
127.0.0.1 true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown