Windows Analysis Report
ORDEM DE COMPRA.exe

Overview

General Information

Sample name: ORDEM DE COMPRA.exe
Analysis ID: 1446502
MD5: 46dab257847ea9cfbbc77979323212c4
SHA1: 8cbd33b3cf519807b2c986f7fbe3daae4175595f
SHA256: 1f522609abaf12c6647c56b379cdf2c9263a845a6b4c93bac7111d0c27d68159
Tags: exe
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "divine4040@gbogboro.com", "Password": "Egoamaka@123", "Host": "mail.gbogboro.com", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: scratchdreams.tk Virustotal: Detection: 18% Perma Link
Source: https://scratchdreams.tk/_send_.php?TS Virustotal: Detection: 16% Perma Link
Source: http://scratchdreams.tk Virustotal: Detection: 18% Perma Link
Source: https://scratchdreams.tk Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for submitted file
Source: ORDEM DE COMPRA.exe Virustotal: Detection: 25% Perma Link
Source: ORDEM DE COMPRA.exe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: ORDEM DE COMPRA.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49700 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: ORDEM DE COMPRA.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Windows.Forms.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: mscorlib.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Dynamic.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.pdb0 source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: mscorlib.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Core.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.pdb` source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.pdbMZ source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERE5FE.tmp.dmp.9.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_02F6F21B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_02F6F03B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 02F6F7A1h 5_2_02F6F4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_02F6EA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 02F6FBF9h 5_2_02F6F941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A60F11h 5_2_06A60C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A62091h 5_2_06A61DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A62658h 5_2_06A62240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6021Dh 5_2_06A60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A60BA7h 5_2_06A60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6D969h 5_2_06A6D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6D0B9h 5_2_06A6CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6E219h 5_2_06A6DF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6EF21h 5_2_06A6EC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A62658h 5_2_06A62586
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A617D1h 5_2_06A61520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6F7D1h 5_2_06A6F528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6C809h 5_2_06A6C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6D511h 5_2_06A6D268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6E671h 5_2_06A6E3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6DDC1h 5_2_06A6DB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A61371h 5_2_06A610C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6F379h 5_2_06A6F0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6EAC9h 5_2_06A6E820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6CC61h 5_2_06A6C9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A61C31h 5_2_06A61980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6FC29h 5_2_06A6F980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A6C3B1h 5_2_06A6C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A78D95h 5_2_06A78A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A76169h 5_2_06A75EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A788A9h 5_2_06A78600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A75D11h 5_2_06A75A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 5_2_06A737FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A76E71h 5_2_06A76BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A765C1h 5_2_06A76318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A76A19h 5_2_06A76770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A7774Ah 5_2_06A774A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A70741h 5_2_06A70498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A70B99h 5_2_06A708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A77BA1h 5_2_06A778F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A772C9h 5_2_06A77020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 5_2_06A73808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A702E9h 5_2_06A70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A71449h 5_2_06A711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A78451h 5_2_06A781A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A75891h 5_2_06A755E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A70FF1h 5_2_06A70D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then jmp 06A77FF9h 5_2_06A77D50

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49700 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: scratchdreams.tk
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003169000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: AddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: AddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scratchdreams.tk
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.0
Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003175000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175
Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003216000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000325C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003223000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000031B8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003230000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003208000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175$
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk
Source: AddInProcess32.exe, 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49722 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A5D25 0_2_00007FFD348A5D25
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A5CA8 0_2_00007FFD348A5CA8
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348D1658 0_2_00007FFD348D1658
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A9F2F 0_2_00007FFD348A9F2F
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A1F65 0_2_00007FFD348A1F65
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A0868 0_2_00007FFD348A0868
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A0518 0_2_00007FFD348A0518
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A05D3 0_2_00007FFD348A05D3
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348D0F10 0_2_00007FFD348D0F10
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A0AE0 0_2_00007FFD348A0AE0
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348D1358 0_2_00007FFD348D1358
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A0ADB 0_2_00007FFD348A0ADB
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348ACC00 0_2_00007FFD348ACC00
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A0BD3 0_2_00007FFD348A0BD3
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD349C0261 0_2_00007FFD349C0261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_014FACC0 5_2_014FACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_014FFA9F 5_2_014FFA9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_014FBFEC 5_2_014FBFEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_014FDEA0 5_2_014FDEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6B388 5_2_02F6B388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6C1F0 5_2_02F6C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F66168 5_2_02F66168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6C7B1 5_2_02F6C7B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6C4D0 5_2_02F6C4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6CA91 5_2_02F6CA91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F64B31 5_2_02F64B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F668E0 5_2_02F668E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F698B8 5_2_02F698B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6BF10 5_2_02F6BF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6BC32 5_2_02F6BC32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6F4E8 5_2_02F6F4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F635C8 5_2_02F635C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6B552 5_2_02F6B552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6EA08 5_2_02F6EA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6E9F8 5_2_02F6E9F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F6F941 5_2_02F6F941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A64490 5_2_06A64490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A60C60 5_2_06A60C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A61DE0 5_2_06A61DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A69080 5_2_06A69080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A60040 5_2_06A60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A689B0 5_2_06A689B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6D6B0 5_2_06A6D6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6D6C0 5_2_06A6D6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6CE01 5_2_06A6CE01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6CE10 5_2_06A6CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A67FF8 5_2_06A67FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6DF60 5_2_06A6DF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6DF70 5_2_06A6DF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A64480 5_2_06A64480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6EC69 5_2_06A6EC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6EC78 5_2_06A6EC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A60C50 5_2_06A60C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A61DD0 5_2_06A61DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A61520 5_2_06A61520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6F528 5_2_06A6F528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A61510 5_2_06A61510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6F518 5_2_06A6F518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6C560 5_2_06A6C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6C550 5_2_06A6C550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6D268 5_2_06A6D268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6D258 5_2_06A6D258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6E3B9 5_2_06A6E3B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6E3C8 5_2_06A6E3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6DB0A 5_2_06A6DB0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6DB18 5_2_06A6DB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A610B0 5_2_06A610B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6C0F7 5_2_06A6C0F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A610C0 5_2_06A610C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6F0C0 5_2_06A6F0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6F0D0 5_2_06A6F0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6E820 5_2_06A6E820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A60007 5_2_06A60007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A68008 5_2_06A68008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6E812 5_2_06A6E812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6C9A9 5_2_06A6C9A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6C9B8 5_2_06A6C9B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A61980 5_2_06A61980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6F980 5_2_06A6F980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6C108 5_2_06A6C108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A61970 5_2_06A61970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6F971 5_2_06A6F971
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7AEA8 5_2_06A7AEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7DAC0 5_2_06A7DAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7CE28 5_2_06A7CE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A78A58 5_2_06A78A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7C7D8 5_2_06A7C7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7BB38 5_2_06A7BB38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A790A1 5_2_06A790A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7B4F0 5_2_06A7B4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7D478 5_2_06A7D478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7A858 5_2_06A7A858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7C188 5_2_06A7C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A715F8 5_2_06A715F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7DAAF 5_2_06A7DAAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A75EB0 5_2_06A75EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7AE98 5_2_06A7AE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A75EC0 5_2_06A75EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7CE21 5_2_06A7CE21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A78600 5_2_06A78600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A75A68 5_2_06A75A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A78A48 5_2_06A78A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A75A58 5_2_06A75A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A76BB8 5_2_06A76BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A73B80 5_2_06A73B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A737FA 5_2_06A737FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7C7CA 5_2_06A7C7CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A76BC8 5_2_06A76BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7BB27 5_2_06A7BB27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A76308 5_2_06A76308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A76318 5_2_06A76318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A76760 5_2_06A76760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A76770 5_2_06A76770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A774A0 5_2_06A774A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A74880 5_2_06A74880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A70488 5_2_06A70488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A77490 5_2_06A77490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A70498 5_2_06A70498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A778E7 5_2_06A778E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A708E1 5_2_06A708E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7B4E0 5_2_06A7B4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A708F0 5_2_06A708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A778F8 5_2_06A778F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A77020 5_2_06A77020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A70007 5_2_06A70007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A73808 5_2_06A73808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A77010 5_2_06A77010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A72C68 5_2_06A72C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7D468 5_2_06A7D468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A70040 5_2_06A70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7A848 5_2_06A7A848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A711A0 5_2_06A711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A781A8 5_2_06A781A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A71191 5_2_06A71191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7819A 5_2_06A7819A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A755E8 5_2_06A755E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A785F1 5_2_06A785F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A755DA 5_2_06A755DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A70D38 5_2_06A70D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7C178 5_2_06A7C178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A77D40 5_2_06A77D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A70D48 5_2_06A70D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A77D50 5_2_06A77D50
One or more processes crash
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1756 -s 1120
PE file does not import any functions
Source: ORDEM DE COMPRA.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEhetayeyunuzuzazeped@ vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe, 00000000.00000000.2059230100.000001FBD7AAE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUnoqunomJ vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182716686.000001FBD9680000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameEhetayeyunuzuzazeped@ vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe, 00000000.00000000.2059218760.000001FBD7AA2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182682413.000001FBD95B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe Binary or memory string: OriginalFilenameNativeMethods.dll" vs ORDEM DE COMPRA.exe
Source: ORDEM DE COMPRA.exe Binary or memory string: OriginalFilenameUnoqunomJ vs ORDEM DE COMPRA.exe
Yara signature match
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: ORDEM DE COMPRA.exe, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, --J.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, --J.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, O-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, O-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, --J.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, --J.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, O-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, O-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@11/10@4/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1756
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wo3x5km0.qeo.ps1 Jump to behavior
Source: ORDEM DE COMPRA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ORDEM DE COMPRA.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AddInProcess32.exe, 00000005.00000002.4523823205.0000000003350000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.0000000003344000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4527017564.000000000413B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.00000000032FE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000331C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.4523823205.000000000330E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ORDEM DE COMPRA.exe Virustotal: Detection: 25%
Source: ORDEM DE COMPRA.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe File read: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ORDEM DE COMPRA.exe "C:\Users\user\Desktop\ORDEM DE COMPRA.exe"
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1756 -s 1120
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: ORDEM DE COMPRA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORDEM DE COMPRA.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ORDEM DE COMPRA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Windows.Forms.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: mscorlib.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.CSharp.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Dynamic.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.pdb0 source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: mscorlib.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Core.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.pdb` source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.pdbMZ source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: System.Core.ni.pdb source: WERE5FE.tmp.dmp.9.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERE5FE.tmp.dmp.9.dr
Binary contains a suspicious time stamp
Source: ORDEM DE COMPRA.exe Static PE information: 0xD4FC1361 [Fri Mar 26 12:30:25 2083 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348ADF45 push BA495F4Dh; iretd 0_2_00007FFD348ADF6A
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD348A00BD pushad ; iretd 0_2_00007FFD348A00C1
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD349C0261 push esp; retf 4810h 0_2_00007FFD349C0552
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Code function: 0_2_00007FFD349C0224 pushad ; ret 0_2_00007FFD349C0225
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_02F69770 push esp; ret 5_2_02F69771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A68F86 push es; iretd 5_2_06A6903C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A67C3D push es; ret 5_2_06A67C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A69000 push es; iretd 5_2_06A6903C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7367B push es; iretd 5_2_06A7367C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7F75F push es; ret 5_2_06A7F888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A7F88B push es; ret 5_2_06A7F888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A79045 push es; ret 5_2_06A7904C

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory allocated: 1FBD9590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory allocated: 1FBF1710000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 2E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 30B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 2EC0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599529 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598316 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597134 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594780 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594344 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7098 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 7640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 2198 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5056 Thread sleep count: 7640 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5056 Thread sleep count: 2198 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599529s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -599094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598316s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597134s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -597008s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596577s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596234s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -595016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -594891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -594780s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -594672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -594562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -594453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5096 Thread sleep time: -594344s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599529 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598316 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597134 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594780 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 594344 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000005.00000002.4522243099.00000000011C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: ORDEM DE COMPRA.exe, 00000000.00000002.2182801768.000001FBD9A26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 5_2_06A6BE28 LdrInitializeThunk, 5_2_06A6BE28
Enables debug privileges
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: FB5008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ORDEM DE COMPRA.exe" -Force Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Queries volume information: C:\Users\user\Desktop\ORDEM DE COMPRA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables UAC (registry)
Source: C:\Users\user\Desktop\ORDEM DE COMPRA.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a3d540.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ORDEM DE COMPRA.exe.1fbe9a1caf8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4521934440.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4523823205.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2184297961.000001FBE99FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4523823205.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDEM DE COMPRA.exe PID: 1756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 6976, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446502 Sample: ORDEM DE COMPRA.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 checkip.dyndns.org 2->25 27 3 other IPs or domains 2->27 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 41 10 other signatures 2->41 8 ORDEM DE COMPRA.exe 1 3 2->8         started        signatures3 39 Tries to detect the country of the analysis system (by using the IP) 23->39 process4 signatures5 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->43 45 Writes to foreign memory regions 8->45 47 Adds a directory exclusion to Windows Defender 8->47 49 2 other signatures 8->49 11 AddInProcess32.exe 15 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        19 2 other processes 8->19 process6 dnsIp7 29 scratchdreams.tk 188.114.97.3, 443, 49700, 49702 CLOUDFLARENETUS European Union 11->29 31 checkip.dyndns.com 132.226.8.169, 49699, 49704, 49709 UTMEMUS United States 11->31 51 Tries to steal Mail credentials (via file / registry access) 11->51 53 Tries to harvest and steal browser information (history, passwords, etc) 11->53 55 Loading BitLocker PowerShell Module 15->55 21 conhost.exe 15->21         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
scratchdreams.tk 188.114.97.3 true
checkip.dyndns.com 132.226.8.169 true
15.164.165.52.in-addr.arpa unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.175 false
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://scratchdreams.tk/_send_.php?TS false
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown