Windows Analysis Report
bank slip.exe

Overview

General Information

Sample name: bank slip.exe
Analysis ID: 1436607
MD5: 64ff7f01e8a040dd0708d0d3c72a09f7
SHA1: 71d66159d1414876a6ae19696a5a3d99fc5df6a6
SHA256: 0eb53728acb5e4b7c857ed35dacc4ba1264249cada90f5e69d3fde4e9b243190
Tags: exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.vw-rmplcars.co.in", "Username": "account.sw@vw-rmplcars.co.in", "Password": "Gagan#456"}
Multi AV Scanner detection for domain / URL
Source: vw-rmplcars.co.in Virustotal: Detection: 10% Perma Link
Source: http://vw-rmplcars.co.in Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Virustotal: Detection: 38% Perma Link
Multi AV Scanner detection for submitted file
Source: bank slip.exe ReversingLabs: Detection: 23%
Source: bank slip.exe Virustotal: Detection: 33% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: bank slip.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: bank slip.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: bank slip.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: NjBW.pdb source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
Source: Binary string: NjBW.pdbSHA256 source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\bank slip.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_06A10125
Source: C:\Users\user\Desktop\bank slip.exe Code function: 4x nop then jmp 06A13F4Ah 0_2_06A13556
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 4x nop then jmp 076231BAh 11_2_076227C6
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 11_2_07620125

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49710 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49710 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49710 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49710 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49710 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49710 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49712 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49712 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49712 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49712 -> 111.118.215.27:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49712 -> 111.118.215.27:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49710 -> 111.118.215.27:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 111.118.215.27 111.118.215.27
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49710 -> 111.118.215.27:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mail.vw-rmplcars.co.in
Source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RegSvcs.exe, 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.vw-rmplcars.co.in
Source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: bank slip.exe, 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, mKSjGvfmIulVB.exe, 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://vw-rmplcars.co.in
Source: bank slip.exe, 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, mKSjGvfmIulVB.exe, 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, xljC6U.cs .Net Code: vThHZOOISq
Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, xljC6U.cs .Net Code: vThHZOOISq

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_0259E47C 0_2_0259E47C
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_04BA7C98 0_2_04BA7C98
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_04BA7C70 0_2_04BA7C70
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_04BA0920 0_2_04BA0920
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_04BA0910 0_2_04BA0910
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_068A6A00 0_2_068A6A00
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_068AAB60 0_2_068AAB60
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_068A003F 0_2_068A003F
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_068A0040 0_2_068A0040
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_068AC190 0_2_068AC190
Source: C:\Users\user\Desktop\bank slip.exe Code function: 0_2_06A147B8 0_2_06A147B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_012CA3E8 9_2_012CA3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_012CD780 9_2_012CD780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_012C9810 9_2_012C9810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_012C4AC8 9_2_012C4AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_012C3EB0 9_2_012C3EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_012C41F8 9_2_012C41F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06393278 9_2_06393278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06394288 9_2_06394288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0639E030 9_2_0639E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0639C020 9_2_0639C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06390040 9_2_06390040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06398EC0 9_2_06398EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06395A10 9_2_06395A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06395330 9_2_06395330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06393990 9_2_06393990
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 11_2_0544E47C 11_2_0544E47C
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 11_2_074BAB60 11_2_074BAB60
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 11_2_074B6A00 11_2_074B6A00
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 11_2_074BC190 11_2_074BC190
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 11_2_074B0040 11_2_074B0040
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 11_2_074B0006 11_2_074B0006
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Code function: 11_2_07623A20 11_2_07623A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02E7A3E0 14_2_02E7A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02E741F8 14_2_02E741F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02E7D778 14_2_02E7D778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02E74AC8 14_2_02E74AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02E73EB0 14_2_02E73EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD8EB3 14_2_05CD8EB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CDC020 14_2_05CDC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CDE020 14_2_05CDE020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD0D38 14_2_05CD0D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD5330 14_2_05CD5330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD5A10 14_2_05CD5A10
PE / OLE file has an invalid certificate
Source: bank slip.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: bank slip.exe, 00000000.00000002.2075170107.0000000006A80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs bank slip.exe
Source: bank slip.exe, 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename922eeda8-5113-4aeb-9b31-a4e56d848d57.exe4 vs bank slip.exe
Source: bank slip.exe, 00000000.00000000.1982387453.0000000000262000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNjBW.exe( vs bank slip.exe
Source: bank slip.exe, 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename922eeda8-5113-4aeb-9b31-a4e56d848d57.exe4 vs bank slip.exe
Source: bank slip.exe, 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs bank slip.exe
Source: bank slip.exe, 00000000.00000002.2046567402.00000000006FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs bank slip.exe
Source: bank slip.exe, 00000000.00000002.2076413089.0000000009869000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNjBW.exe( vs bank slip.exe
Source: bank slip.exe Binary or memory string: OriginalFilenameNjBW.exe( vs bank slip.exe
Uses 32bit PE files
Source: bank slip.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: bank slip.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mKSjGvfmIulVB.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, 9O2OLI.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, hdYUG.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, LGBZ4N2f.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, F8OmG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, Bgo.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, sfsXZwXfvR3dieCKhH.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs Security API names: _0020.SetAccessControl
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs Security API names: _0020.AddAccessRule
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, sfsXZwXfvR3dieCKhH.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs Security API names: _0020.SetAccessControl
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/19@1/1
Source: C:\Users\user\Desktop\bank slip.exe File created: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Mutant created: \Sessions\1\BaseNamedObjects\EdtZvPE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Users\user\Desktop\bank slip.exe File created: C:\Users\user\AppData\Local\Temp\tmp2859.tmp Jump to behavior
Source: bank slip.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bank slip.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\bank slip.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: bank slip.exe ReversingLabs: Detection: 23%
Source: bank slip.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\bank slip.exe File read: C:\Users\user\Desktop\bank slip.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\bank slip.exe "C:\Users\user\Desktop\bank slip.exe"
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\bank slip.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\bank slip.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: bank slip.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: bank slip.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: bank slip.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: NjBW.pdb source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
Source: Binary string: NjBW.pdbSHA256 source: bank slip.exe, mKSjGvfmIulVB.exe.0.dr
Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.2169045059.0000000000EC2000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.bank slip.exe.260f66c.1.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.bank slip.exe.6750000.10.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
.NET source code contains potential unpacker
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs .Net Code: bUZDm6yIUj System.Reflection.Assembly.Load(byte[])
Source: 0.2.bank slip.exe.5140000.8.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs .Net Code: bUZDm6yIUj System.Reflection.Assembly.Load(byte[])
Source: 0.2.bank slip.exe.35c9970.4.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0639A365 push 8B0405CCh; iretd 9_2_0639A36A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD7D37 pushad ; retf 14_2_05CD7D41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD6468 push eax; retf 14_2_05CD646E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD1778 push es; retf 14_2_05CD177A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD66A0 push esp; retf 14_2_05CD66A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD30F1 push ds; retf 14_2_05CD30F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD2838 push ss; retf 14_2_05CD2842
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_05CD2298 push cs; retf 14_2_05CD22A2
Source: bank slip.exe Static PE information: section name: .text entropy: 7.962545979931204
Source: mKSjGvfmIulVB.exe.0.dr Static PE information: section name: .text entropy: 7.962545979931204
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, HxsbFDEGN9yUQ06UPl.cs High entropy of concatenated method names: 'Gs3vPaIkSA', 'IJsvsucB6B', 'sLevwPL59E', 'Qs5vHgSk4H', 'N5Qvq12YFH', 'vuQv8WOgXG', 'ecNv6ZBQl3', 'E54vWCcZYi', 'lNCvUqeyXf', 'g2RvfMJF8J'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, KDgZwpWiswQerbEGq0d.cs High entropy of concatenated method names: 'qBDX8eiikioJA', 'UGCQwwCCfLZM3I1ggHM', 'SGOYgFCPK9EHS6B8L8W', 'dUWmDYCXUSL7yAo0bsp', 'BR2flPCm2JHJQ9EXNYO', 'YxSpPhCcTlucnEUgaBC'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RPBv9eW6P3fcSVhK7Q6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPv7OFCsXB', 'Mu97nTjuua', 'z1l7tpu6DC', 'vOx7B8pPPP', 'IB37y1uRxB', 'B8U7lqkR16', 'qgI7i2dV5v'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, h0ksr6wL5baDLWDeKh.cs High entropy of concatenated method names: 'p9CXR6CL4I', 'af7XGTu5i1', 'tQar1Xlwxg', 'vY3rYuyqIP', 'IubXfLgSOa', 'stxXLgMs6T', 'qpkXu4RQIw', 'JpDXONZh4f', 'LvnXnpgEBJ', 'OpFXtHpTtq'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, LuAmB1CIIBw0IIen84.cs High entropy of concatenated method names: 'uUAm34lTZ', 'J4xV4tVZt', 'sSZhNLRPU', 'W1jK3VSLN', 'OWMssnrw4', 'gEpIOrSt2', 'w3DfiEdqesAAVIUP75', 'hIxk1u9ltAxoTB6UJK', 'UU5ronB8n', 'wQy7Z3QBc'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, DhkeECurkuM2ajfWWK.cs High entropy of concatenated method names: 'uDGr5yCfeX', 'wvWr0dnCB8', 'ymOrZ23Pt6', 'DOUrA7q92l', 'jh6rbEhjb8', 'hIMraGEVxT', 'Mf0rJh45n0', 'ygsreVyp0T', 'jgerkO4JJt', 'smxrjodxxm'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, sfsXZwXfvR3dieCKhH.cs High entropy of concatenated method names: 'YiU0OufSNm', 'z9i0n4ipEG', 'Lm00tsR1eX', 'hDJ0BkH2R2', 'aUh0ybjvXx', 'mp80lp9Xlo', 'sHS0i91quN', 'zTJ0R5eWM2', 'MFA0cu1dV7', 'smI0GoLdSm'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, J4A3nvmZhShG1GYEQC.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YmCNcMnCeq', 'NtqNGlSwO9', 'KAjNzYD1ME', 'MUyg1ly9Gs', 'BCkgYYXAFy', 'kw5gN7K2t4', 'EenggbBxnZ', 'Jj4kEBgc4dr9geLRrGo'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs High entropy of concatenated method names: 'NXAgpSUtEN', 'K9Cg5riOUp', 'TIbg0eJT1e', 'k7MgZnEZJk', 'eJxgAvWARR', 'bU7gbXc9Ny', 'dFVgaa9mFK', 'XrAgJ5bSYx', 'JpFget3PxG', 'eKJgkR2f2Y'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, wWkMA98MASUoIsFn4D.cs High entropy of concatenated method names: 'ToString', 'H8e9fTReSf', 'Vjw9HMOSPX', 'aDF9daCfIn', 'oYL9qjQ1RB', 'apo98terv2', 'bYK92qkZ1t', 'EtX96er81k', 'QLW9W5FFeX', 'evq9T7siJM'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, rdZNDk11na0gtIvC30.cs High entropy of concatenated method names: 'XhBMYqWebf', 'V0eMgcuxni', 'EG7MDlR3Kx', 'TpnM5J3fFy', 'JJOM0yjYnH', 'dMIMATgFr8', 'qHFMbJ0gfv', 'uaOriemfoK', 'I30rRX29EZ', 'hKxrcH4pNx'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, UfiEhAqDBRkf2XDQp0.cs High entropy of concatenated method names: 'Tk1SUP3Fqb', 'jx4SLLsFla', 'KMiSO7UFh7', 'MCiSnUDoKA', 'xDlSHbs4Gw', 'z6iSdYeAcc', 'iUySqKngX3', 'UaBS8RTyL8', 'GmqS23bauH', 'UM6S6L7QVK'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, W5NXKHMEm5Ij918IP7.cs High entropy of concatenated method names: 'QgvXk4pUVt', 'l4gXjsLqkl', 'ToString', 'Ar1X5tacoG', 'pVaX0eqs9V', 'FapXZURIcs', 'jTDXAmywlC', 'srlXb6R35Y', 'EVWXamgb3o', 'Tv1XJn0ll6'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, Ep5nCIitlJU5ZYBXvp.cs High entropy of concatenated method names: 'CXLYaqNn54', 'zCbYJ9oL65', 'SRYYk8HhEw', 'DwDYjeBskG', 'X25YScAJ1X', 'pcjY96OfvN', 'wIrtDp71pY7vyKBqMM', 'cSZ2liZPgDqxvZa89G', 'tAgYYldZAp', 'L04YgIgdft'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, R7bVXuZ7MHjwb6DtgD.cs High entropy of concatenated method names: 'eukA4bblGb', 'zykAKrCvBd', 'lu0ZdRHtDw', 'uX1ZqZu6wG', 'PhgZ8CiWne', 'KiYZ2XJygS', 'klCZ6uWFWq', 'LluZWZVy6l', 'SOdZTFu2pj', 'P34ZUDQk8m'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, A6VJMMhuqgN8emaiMN.cs High entropy of concatenated method names: 'SeWrw4Qgns', 'FFNrH1r4c8', 'wnUrdA6X2X', 'cbBrqtpYPA', 'QZbrO4EvhQ', 'JmQr8m3Abt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, AQKpSGeTUbq29D6fK9.cs High entropy of concatenated method names: 'sbtbpix1bH', 'nqgb0CoXp0', 'Pu6bAv6J25', 'BfKbaKWa5h', 'k9JbJ2MGvV', 'tkZAyYL42j', 'AYYAlvdiLG', 'PEZAirePfZ', 'LAAAR0XvfB', 'OW5AcMu1R8'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, jmNIBcrHrW0ELPZGY6.cs High entropy of concatenated method names: 'Er4a5a19cy', 'W8gaZ1reJu', 'qZmab8RrCN', 'eXvbGARaVF', 'bpAbzkKBy3', 'AkWa1C0Q1s', 'EDHaYvUyt3', 'kMoaNPMZf1', 'lw5agQw1EV', 'dIbaDoJbUB'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, fqCqGBPw45OflmtbiV.cs High entropy of concatenated method names: 'Dispose', 'Du1YcRnvKw', 'a8yNHNyfl3', 'dniooc7Fr2', 'XUXYGAfjdg', 'tgIYz0PaV2', 'ProcessDialogKey', 'IsZN1pZd1V', 'UuqNYWPHYp', 'yFcNN4atNj'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, x0DyjfzCgiXqO6cHLY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y7UMvd8gfk', 'DVKMSHddrK', 'kPmM9ST8L7', 'SnbMXPSUBM', 'OI1MrFyxmg', 'CeCMMJ4HLF', 'qEMM7kxEmA'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, pssgAdWQVCHOX6LkNrQ.cs High entropy of concatenated method names: 'xKMMQHqDTo', 'HhPME4AqoJ', 'jTHMmH5CZn', 'GRQMVL2mxa', 'y5eM4D0bLA', 'C6pMhMOOuS', 'nSDMKaYI0c', 'l2wMPJKRub', 'xHCMsL6Ylk', 'D3eMIHfpiI'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, RYQ0TUYmVRwcWgAP8g.cs High entropy of concatenated method names: 'nATZVtn5AL', 'PuYZhxnT3k', 'jDtZPfuAGR', 'snQZsK738G', 'iiCZSCNs9d', 'v8IZ9Cv5or', 'jncZXPlJTJ', 'ecbZrciJdh', 'masZM3AWsT', 'RQFZ7vmB5n'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, CdNb8MHDbjsBQ7T66m.cs High entropy of concatenated method names: 'sghaQllE8V', 'dBpaER9nBx', 'aukamyehLL', 'F3raVC8iUJ', 'nS9a4P3gn5', 'fjwahJ5dle', 'TVdaKIsuI4', 'E1paPKp3Vl', 'PJYaslH4xW', 'lUxaIVusgu'
Source: 0.2.bank slip.exe.39b1e08.5.raw.unpack, kLyHujWW6FSxHLWh9NF.cs High entropy of concatenated method names: 'ToString', 'xVA7gb6X1l', 'iuV7DAFhmG', 'P6y7pa5xqy', 'yIN75ApCuc', 'C0v70iAb1P', 'GZ97ZfgM7F', 'NJh7At9q6y', 'DKoeVtmHlj4w1TIEG7Q', 'iIpZ9XmqLF1fgNQto3a'
Source: 0.2.bank slip.exe.389c998.7.raw.unpack, E93JP.cs High entropy of concatenated method names: 'O3GewIY79r', 'ozlix3jYlSi', 'rTdmwtTHv1N', 'jqRy6h0g1cX', 'JG6N0SP', 'x9Oe05WPWUp', 'JhSgt5x', 'H9d', 'OBrYDtnZ2J', 'ZQHYbk'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, HxsbFDEGN9yUQ06UPl.cs High entropy of concatenated method names: 'Gs3vPaIkSA', 'IJsvsucB6B', 'sLevwPL59E', 'Qs5vHgSk4H', 'N5Qvq12YFH', 'vuQv8WOgXG', 'ecNv6ZBQl3', 'E54vWCcZYi', 'lNCvUqeyXf', 'g2RvfMJF8J'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, KDgZwpWiswQerbEGq0d.cs High entropy of concatenated method names: 'qBDX8eiikioJA', 'UGCQwwCCfLZM3I1ggHM', 'SGOYgFCPK9EHS6B8L8W', 'dUWmDYCXUSL7yAo0bsp', 'BR2flPCm2JHJQ9EXNYO', 'YxSpPhCcTlucnEUgaBC'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RPBv9eW6P3fcSVhK7Q6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPv7OFCsXB', 'Mu97nTjuua', 'z1l7tpu6DC', 'vOx7B8pPPP', 'IB37y1uRxB', 'B8U7lqkR16', 'qgI7i2dV5v'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, h0ksr6wL5baDLWDeKh.cs High entropy of concatenated method names: 'p9CXR6CL4I', 'af7XGTu5i1', 'tQar1Xlwxg', 'vY3rYuyqIP', 'IubXfLgSOa', 'stxXLgMs6T', 'qpkXu4RQIw', 'JpDXONZh4f', 'LvnXnpgEBJ', 'OpFXtHpTtq'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, LuAmB1CIIBw0IIen84.cs High entropy of concatenated method names: 'uUAm34lTZ', 'J4xV4tVZt', 'sSZhNLRPU', 'W1jK3VSLN', 'OWMssnrw4', 'gEpIOrSt2', 'w3DfiEdqesAAVIUP75', 'hIxk1u9ltAxoTB6UJK', 'UU5ronB8n', 'wQy7Z3QBc'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, DhkeECurkuM2ajfWWK.cs High entropy of concatenated method names: 'uDGr5yCfeX', 'wvWr0dnCB8', 'ymOrZ23Pt6', 'DOUrA7q92l', 'jh6rbEhjb8', 'hIMraGEVxT', 'Mf0rJh45n0', 'ygsreVyp0T', 'jgerkO4JJt', 'smxrjodxxm'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, sfsXZwXfvR3dieCKhH.cs High entropy of concatenated method names: 'YiU0OufSNm', 'z9i0n4ipEG', 'Lm00tsR1eX', 'hDJ0BkH2R2', 'aUh0ybjvXx', 'mp80lp9Xlo', 'sHS0i91quN', 'zTJ0R5eWM2', 'MFA0cu1dV7', 'smI0GoLdSm'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, J4A3nvmZhShG1GYEQC.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'YmCNcMnCeq', 'NtqNGlSwO9', 'KAjNzYD1ME', 'MUyg1ly9Gs', 'BCkgYYXAFy', 'kw5gN7K2t4', 'EenggbBxnZ', 'Jj4kEBgc4dr9geLRrGo'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYNQdoLFBlDdX1Oj8U.cs High entropy of concatenated method names: 'NXAgpSUtEN', 'K9Cg5riOUp', 'TIbg0eJT1e', 'k7MgZnEZJk', 'eJxgAvWARR', 'bU7gbXc9Ny', 'dFVgaa9mFK', 'XrAgJ5bSYx', 'JpFget3PxG', 'eKJgkR2f2Y'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, wWkMA98MASUoIsFn4D.cs High entropy of concatenated method names: 'ToString', 'H8e9fTReSf', 'Vjw9HMOSPX', 'aDF9daCfIn', 'oYL9qjQ1RB', 'apo98terv2', 'bYK92qkZ1t', 'EtX96er81k', 'QLW9W5FFeX', 'evq9T7siJM'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, rdZNDk11na0gtIvC30.cs High entropy of concatenated method names: 'XhBMYqWebf', 'V0eMgcuxni', 'EG7MDlR3Kx', 'TpnM5J3fFy', 'JJOM0yjYnH', 'dMIMATgFr8', 'qHFMbJ0gfv', 'uaOriemfoK', 'I30rRX29EZ', 'hKxrcH4pNx'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, UfiEhAqDBRkf2XDQp0.cs High entropy of concatenated method names: 'Tk1SUP3Fqb', 'jx4SLLsFla', 'KMiSO7UFh7', 'MCiSnUDoKA', 'xDlSHbs4Gw', 'z6iSdYeAcc', 'iUySqKngX3', 'UaBS8RTyL8', 'GmqS23bauH', 'UM6S6L7QVK'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, W5NXKHMEm5Ij918IP7.cs High entropy of concatenated method names: 'QgvXk4pUVt', 'l4gXjsLqkl', 'ToString', 'Ar1X5tacoG', 'pVaX0eqs9V', 'FapXZURIcs', 'jTDXAmywlC', 'srlXb6R35Y', 'EVWXamgb3o', 'Tv1XJn0ll6'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, Ep5nCIitlJU5ZYBXvp.cs High entropy of concatenated method names: 'CXLYaqNn54', 'zCbYJ9oL65', 'SRYYk8HhEw', 'DwDYjeBskG', 'X25YScAJ1X', 'pcjY96OfvN', 'wIrtDp71pY7vyKBqMM', 'cSZ2liZPgDqxvZa89G', 'tAgYYldZAp', 'L04YgIgdft'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, R7bVXuZ7MHjwb6DtgD.cs High entropy of concatenated method names: 'eukA4bblGb', 'zykAKrCvBd', 'lu0ZdRHtDw', 'uX1ZqZu6wG', 'PhgZ8CiWne', 'KiYZ2XJygS', 'klCZ6uWFWq', 'LluZWZVy6l', 'SOdZTFu2pj', 'P34ZUDQk8m'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, A6VJMMhuqgN8emaiMN.cs High entropy of concatenated method names: 'SeWrw4Qgns', 'FFNrH1r4c8', 'wnUrdA6X2X', 'cbBrqtpYPA', 'QZbrO4EvhQ', 'JmQr8m3Abt', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, AQKpSGeTUbq29D6fK9.cs High entropy of concatenated method names: 'sbtbpix1bH', 'nqgb0CoXp0', 'Pu6bAv6J25', 'BfKbaKWa5h', 'k9JbJ2MGvV', 'tkZAyYL42j', 'AYYAlvdiLG', 'PEZAirePfZ', 'LAAAR0XvfB', 'OW5AcMu1R8'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, jmNIBcrHrW0ELPZGY6.cs High entropy of concatenated method names: 'Er4a5a19cy', 'W8gaZ1reJu', 'qZmab8RrCN', 'eXvbGARaVF', 'bpAbzkKBy3', 'AkWa1C0Q1s', 'EDHaYvUyt3', 'kMoaNPMZf1', 'lw5agQw1EV', 'dIbaDoJbUB'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, fqCqGBPw45OflmtbiV.cs High entropy of concatenated method names: 'Dispose', 'Du1YcRnvKw', 'a8yNHNyfl3', 'dniooc7Fr2', 'XUXYGAfjdg', 'tgIYz0PaV2', 'ProcessDialogKey', 'IsZN1pZd1V', 'UuqNYWPHYp', 'yFcNN4atNj'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, x0DyjfzCgiXqO6cHLY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y7UMvd8gfk', 'DVKMSHddrK', 'kPmM9ST8L7', 'SnbMXPSUBM', 'OI1MrFyxmg', 'CeCMMJ4HLF', 'qEMM7kxEmA'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, pssgAdWQVCHOX6LkNrQ.cs High entropy of concatenated method names: 'xKMMQHqDTo', 'HhPME4AqoJ', 'jTHMmH5CZn', 'GRQMVL2mxa', 'y5eM4D0bLA', 'C6pMhMOOuS', 'nSDMKaYI0c', 'l2wMPJKRub', 'xHCMsL6Ylk', 'D3eMIHfpiI'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, RYQ0TUYmVRwcWgAP8g.cs High entropy of concatenated method names: 'nATZVtn5AL', 'PuYZhxnT3k', 'jDtZPfuAGR', 'snQZsK738G', 'iiCZSCNs9d', 'v8IZ9Cv5or', 'jncZXPlJTJ', 'ecbZrciJdh', 'masZM3AWsT', 'RQFZ7vmB5n'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, CdNb8MHDbjsBQ7T66m.cs High entropy of concatenated method names: 'sghaQllE8V', 'dBpaER9nBx', 'aukamyehLL', 'F3raVC8iUJ', 'nS9a4P3gn5', 'fjwahJ5dle', 'TVdaKIsuI4', 'E1paPKp3Vl', 'PJYaslH4xW', 'lUxaIVusgu'
Source: 0.2.bank slip.exe.6a80000.11.raw.unpack, kLyHujWW6FSxHLWh9NF.cs High entropy of concatenated method names: 'ToString', 'xVA7gb6X1l', 'iuV7DAFhmG', 'P6y7pa5xqy', 'yIN75ApCuc', 'C0v70iAb1P', 'GZ97ZfgM7F', 'NJh7At9q6y', 'DKoeVtmHlj4w1TIEG7Q', 'iIpZ9XmqLF1fgNQto3a'
Source: 0.2.bank slip.exe.260f66c.1.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.bank slip.exe.6750000.10.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, E93JP.cs High entropy of concatenated method names: 'O3GewIY79r', 'ozlix3jYlSi', 'rTdmwtTHv1N', 'jqRy6h0g1cX', 'JG6N0SP', 'x9Oe05WPWUp', 'JhSgt5x', 'H9d', 'OBrYDtnZ2J', 'ZQHYbk'
Drops PE files
Source: C:\Users\user\Desktop\bank slip.exe File created: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTme Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTme Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: 2380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: 25C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: 24D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: 6EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: 7EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: 8080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: 9080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Memory allocated: 1430000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Memory allocated: 3000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Memory allocated: 7850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Memory allocated: 8850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Memory allocated: 89E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Memory allocated: 99E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 1490000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 3240000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 3060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 2340000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 4340000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\bank slip.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4998 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4645 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 351 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2761 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2108 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 3217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 727
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\bank slip.exe TID: 6196 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3656 Thread sleep count: 4998 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092 Thread sleep count: 172 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe TID: 7592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 7916 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 8140 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\bank slip.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99733 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99401 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99052 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98878 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97269 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97007 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96839 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96714 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94950 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99097
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98689
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Source: RegSvcs.exe, 00000009.00000002.2112938225.0000000006270000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3252060777.00000000063B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\bank slip.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\bank slip.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe"
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe"
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\bank slip.exe" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp2859.tmp" Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKSjGvfmIulVB" /XML "C:\Users\user\AppData\Local\Temp\tmp4AB6.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\bank slip.exe Queries volume information: C:\Users\user\Desktop\bank slip.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bank slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Queries volume information: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mKSjGvfmIulVB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\Desktop\bank slip.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3246056841.0000000003092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091471993.0000000003042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7684, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.bank slip.exe.260f66c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.6750000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.6750000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.33cd7dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.33cc7c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.298d6c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.298c6b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.2952c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.3392d98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.260f66c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2074900045.0000000006750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2071630541.0000000002916000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2121255868.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7684, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.389c998.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.4318670.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.38d7bb8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.4318670.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.42dd450.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.38d7bb8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.389c998.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.3246056841.0000000003092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3246056841.000000000309A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091471993.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091471993.0000000003042000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2091471993.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2088618533.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3246056841.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2126436227.00000000042DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2072649003.000000000389C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bank slip.exe PID: 6756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mKSjGvfmIulVB.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7684, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.bank slip.exe.260f66c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.6750000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.6750000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.33cd7dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.33cc7c4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.298d6c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.298c6b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.2952c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.3392d98.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mKSjGvfmIulVB.exe.304f6b4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.bank slip.exe.260f66c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2074900045.0000000006750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2071630541.0000000002916000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2121255868.0000000003356000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2121255868.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2071630541.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436607 Sample: bank slip.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 53 vw-rmplcars.co.in 2->53 55 mail.vw-rmplcars.co.in 2->55 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 14 other signatures 2->65 8 bank slip.exe 7 2->8         started        12 mKSjGvfmIulVB.exe 5 2->12         started        14 GUIVTme.exe 2->14         started        16 GUIVTme.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\mKSjGvfmIulVB.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmp2859.tmp, XML 8->51 dropped 81 Adds a directory exclusion to Windows Defender 8->81 18 RegSvcs.exe 1 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        83 Multi AV Scanner detection for dropped file 12->83 85 Machine Learning detection for dropped file 12->85 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 57 vw-rmplcars.co.in 111.118.215.27, 49710, 49712, 587 PUBLIC-DOMAIN-REGISTRYUS India 18->57 47 C:\Users\user\AppData\Roaming\...behaviorgraphUIVTme.exe, PE32 18->47 dropped 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->69 71 Loading BitLocker PowerShell Module 23->71 37 WmiPrvSE.exe 23->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->73 75 Tries to steal Mail credentials (via file / registry access) 29->75 77 Tries to harvest and steal ftp login credentials 29->77 79 Tries to harvest and steal browser information (history, passwords, etc) 29->79 45 conhost.exe 31->45         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
111.118.215.27
 vw-rmplcars.co.in India
394695 PUBLIC-DOMAIN-REGISTRYUS true

Contacted Domains

Name IP Active
vw-rmplcars.co.in 111.118.215.27 true
mail.vw-rmplcars.co.in unknown unknown