Windows Analysis Report
tWitaq427K.exe

Overview

General Information

Sample name: tWitaq427K.exe
renamed because original name is a hash value
Original sample name: 28f77c9af8cb3ea886714bbfc8326635.exe
Analysis ID: 1465385
MD5: 28f77c9af8cb3ea886714bbfc8326635
SHA1: f6f02b22cd5a272c71a5afa66efd3b237fe4f24f
SHA256: f251fe71103ef7bc4cbdbcfe9c1d7c4a595f831e51cf4064f2bfa595f47bda35
Tags: 32exeRemcosRATtrojan
Infos:

Detection

Remcos, AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: tWitaq427K.exe Avira: detected
Antivirus detection for URL or domain
Source: antfly50.sytes.net Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Avira: detection malicious, Label: HEUR/AGEN.1362875
Found malware configuration
Source: 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "antfly50.sytes.net:1980:1", "Assigned name": "sPITTT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-BW3KDF", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source: 28.0.CCSJ.exe.8f0000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "manorobaneco1818@yandex.com", "Password": "aowapnzgtwgqowgt"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: tWitaq427K.exe ReversingLabs: Detection: 31%
Yara detected Remcos RAT
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1407193789.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3619364298.000000000299F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: tWitaq427K.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 16_2_00433837
Source: tWitaq427K.exe, 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_94a7f7ed-d

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004074FD _wcslen,CoGetObject, 16_2_004074FD
Uses 32bit PE files
Source: tWitaq427K.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tWitaq427K.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_100010F1
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10006580 FindFirstFileExA, 10_2_10006580
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 16_2_00409253
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 16_2_0041C291
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 16_2_0040C34D
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 16_2_00409665
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0044E879 FindFirstFileExA, 16_2_0044E879
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 16_2_0040880C
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040783C FindFirstFileW,FindNextFileW, 16_2_0040783C
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 16_2_00419AF5
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 16_2_0040BB30
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 16_2_0040BD37
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW, 17_2_0040AE51
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 18_2_00407EF8
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_00407898
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 16_2_00407C97

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: antfly50.sytes.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49711 -> 80.85.154.121:1980
Source: global traffic TCP traffic: 192.168.2.9:49727 -> 77.88.21.158:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.88.21.158 77.88.21.158
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CHELYABINSK-SIGNAL-ASRU CHELYABINSK-SIGNAL-ASRU
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.9:49727 -> 77.88.21.158:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 16_2_0041B380
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: tWitaq427K.exe, 00000011.00000002.1416881594.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2133552021.000000000178D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: tWitaq427K.exe, 00000011.00000002.1416881594.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2133552021.000000000178D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: tWitaq427K.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: antfly50.sytes.net
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: global traffic DNS traffic detected: DNS query: smtp.yandex.com
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, znlzneAxBVd.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: tWitaq427K.exe, 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv6DEB.tmp.17.dr, bhv86CD.tmp.24.dr String found in binary or memory: http://ocsp.digicert.com0
Source: CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsrs
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: tWitaq427K.exe, 00000002.00000002.1374656010.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 0000000B.00000002.1421753774.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globals
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.yandex.com
Source: Amcache.hve.32.dr String found in binary or memory: http://upx.sf.net
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: tWitaq427K.exe, 00000011.00000002.1415778138.00000000012F4000.00000004.00000010.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2131692171.0000000001134000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: CCSJ.exe, 0000001C.00000000.3251132725.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, CCSJ.exe.10.dr String found in binary or memory: https://account.dyn.com/
Source: tWitaq427K.exe, 00000011.00000002.1416153381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000011.00000002.1416881594.00000000018ED000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2132446707.0000000001368000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2133552021.000000000178D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: tWitaq427K.exe, 00000011.00000002.1416153381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2132446707.0000000001368000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: tWitaq427K.exe, 00000011.00000002.1416153381.0000000001610000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 00000018.00000002.2132446707.0000000001368000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: tWitaq427K.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: tWitaq427K.exe, znlzneAxBVd.exe.2.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/r
Source: CCSJ.exe, 0000001C.00000002.3798002095.0000000002DA6000.00000004.00000800.00020000.00000000.sdmp, CCSJ.exe, 0000001C.00000002.3806855705.000000000635A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: tWitaq427K.exe, tWitaq427K.exe, 00000013.00000002.1402130022.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: tWitaq427K.exe String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: CCSJ.exe.10.dr, 3DlgK9re6m.cs .Net Code: _8fBy82
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 16_2_0040A2B8
Installs a global keyboard hook
Source: C:\Users\user\Desktop\tWitaq427K.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\tWitaq427K.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 16_2_0040B70E
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_004168C1
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 17_2_0040987A
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 17_2_004098E2
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 18_2_00406DFC
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 18_2_00406E9F
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 19_2_004068B5
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 19_2_004072B5
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 16_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 16_2_0040A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1407193789.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3619364298.000000000299F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041C9E2 SystemParametersInfoW, 16_2_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 28.0.CCSJ.exe.8f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\tWitaq427K.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 17_2_0040DD85
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00401806 NtdllDefWindowProc_W, 17_2_00401806
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_004018C0 NtdllDefWindowProc_W, 17_2_004018C0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_004016FD NtdllDefWindowProc_A, 18_2_004016FD
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_004017B7 NtdllDefWindowProc_A, 18_2_004017B7
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00402CAC NtdllDefWindowProc_A, 19_2_00402CAC
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00402D66 NtdllDefWindowProc_A, 19_2_00402D66
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 16_2_004167B4
Detected potential crypto function
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_011ED5BC 2_2_011ED5BC
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_05220006 2_2_05220006
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_05220040 2_2_05220040
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_0522F6BF 2_2_0522F6BF
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_0522F6D0 2_2_0522F6D0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_052AEF00 2_2_052AEF00
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10017194 10_2_10017194
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_1000B5C1 10_2_1000B5C1
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 11_2_0104D5BC 11_2_0104D5BC
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0043E0CC 16_2_0043E0CC
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041F0FA 16_2_0041F0FA
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00454159 16_2_00454159
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00438168 16_2_00438168
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004461F0 16_2_004461F0
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0043E2FB 16_2_0043E2FB
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0045332B 16_2_0045332B
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0042739D 16_2_0042739D
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004374E6 16_2_004374E6
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0043E558 16_2_0043E558
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00438770 16_2_00438770
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004378FE 16_2_004378FE
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00433946 16_2_00433946
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0044D9C9 16_2_0044D9C9
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00427A46 16_2_00427A46
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041DB62 16_2_0041DB62
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00427BAF 16_2_00427BAF
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00437D33 16_2_00437D33
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00435E5E 16_2_00435E5E
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00426E0E 16_2_00426E0E
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0043DE9D 16_2_0043DE9D
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00413FCA 16_2_00413FCA
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00436FEA 16_2_00436FEA
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044B040 17_2_0044B040
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0043610D 17_2_0043610D
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00447310 17_2_00447310
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044A490 17_2_0044A490
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0040755A 17_2_0040755A
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0043C560 17_2_0043C560
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044B610 17_2_0044B610
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044D6C0 17_2_0044D6C0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_004476F0 17_2_004476F0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044B870 17_2_0044B870
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044081D 17_2_0044081D
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00414957 17_2_00414957
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_004079EE 17_2_004079EE
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00407AEB 17_2_00407AEB
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044AA80 17_2_0044AA80
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00412AA9 17_2_00412AA9
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00404B74 17_2_00404B74
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00404B03 17_2_00404B03
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044BBD8 17_2_0044BBD8
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00404BE5 17_2_00404BE5
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00404C76 17_2_00404C76
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00415CFE 17_2_00415CFE
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00416D72 17_2_00416D72
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00446D30 17_2_00446D30
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00446D8B 17_2_00446D8B
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00406E8F 17_2_00406E8F
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00405038 18_2_00405038
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0041208C 18_2_0041208C
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_004050A9 18_2_004050A9
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0040511A 18_2_0040511A
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0043C13A 18_2_0043C13A
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_004051AB 18_2_004051AB
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00449300 18_2_00449300
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0040D322 18_2_0040D322
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0044A4F0 18_2_0044A4F0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0043A5AB 18_2_0043A5AB
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00413631 18_2_00413631
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00446690 18_2_00446690
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0044A730 18_2_0044A730
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_004398D8 18_2_004398D8
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_004498E0 18_2_004498E0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0044A886 18_2_0044A886
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0043DA09 18_2_0043DA09
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00438D5E 18_2_00438D5E
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00449ED0 18_2_00449ED0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0041FE83 18_2_0041FE83
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00430F54 18_2_00430F54
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_004050C2 19_2_004050C2
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_004014AB 19_2_004014AB
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00405133 19_2_00405133
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_004051A4 19_2_004051A4
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00401246 19_2_00401246
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_0040CA46 19_2_0040CA46
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00405235 19_2_00405235
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_004032C8 19_2_004032C8
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00401689 19_2_00401689
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00402F60 19_2_00402F60
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_01079370 28_2_01079370
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_01079B28 28_2_01079B28
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_01074A98 28_2_01074A98
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_0107CDB0 28_2_0107CDB0
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_01073E80 28_2_01073E80
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_010741C8 28_2_010741C8
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_05738C6C 28_2_05738C6C
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_0573DCE8 28_2_0573DCE8
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_0573BCD0 28_2_0573BCD0
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_05739AB8 28_2_05739AB8
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_05733F38 28_2_05733F38
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_05734FD8 28_2_05734FD8
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_057356B8 28_2_057356B8
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_05730040 28_2_05730040
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_05733230 28_2_05733230
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Code function: 28_2_05732AF0 28_2_05732AF0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe F251FE71103EF7BC4CBDBCFE9C1D7C4A595F831E51CF4064F2BFA595F47BDA35
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: String function: 00401E65 appears 34 times
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: String function: 00416760 appears 69 times
One or more processes crash
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7964 -s 1876
PE / OLE file has an invalid certificate
Source: tWitaq427K.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: tWitaq427K.exe, 00000002.00000002.1388033148.0000000005550000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs tWitaq427K.exe
Source: tWitaq427K.exe, 00000002.00000002.1373262134.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs tWitaq427K.exe
Source: tWitaq427K.exe, 00000002.00000002.1374656010.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs tWitaq427K.exe
Source: tWitaq427K.exe, 00000002.00000002.1388460595.0000000005FF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs tWitaq427K.exe
Source: tWitaq427K.exe, 0000000A.00000002.3618904447.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef408fa6d-534c-b vs tWitaq427K.exe
Source: tWitaq427K.exe, 0000000A.00000002.3618904447.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef408fa6d-52 vs tWitaq427K.exe
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef408fa6d-534c-47bb-b201-cbe01ca64650.exe4 vs tWitaq427K.exe
Source: tWitaq427K.exe Binary or memory string: OriginalFileName vs tWitaq427K.exe
Source: tWitaq427K.exe, 00000013.00000002.1402130022.000000000041B000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs tWitaq427K.exe
Source: tWitaq427K.exe Binary or memory string: OriginalFilenameiUuK.exen' vs tWitaq427K.exe
Uses 32bit PE files
Source: tWitaq427K.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 28.0.CCSJ.exe.8f0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: tWitaq427K.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: znlzneAxBVd.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: CCSJ.exe.10.dr, slKb.cs Cryptographic APIs: 'TransformFinalBlock'
Source: CCSJ.exe.10.dr, mAKJ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: CCSJ.exe.10.dr, xQRSe0Fg.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: CCSJ.exe.10.dr, n3rhMa.cs Cryptographic APIs: 'CreateDecryptor'
Source: CCSJ.exe.10.dr, MQzE4FWn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: CCSJ.exe.10.dr, nSmgRyX5a1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: CCSJ.exe.10.dr, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: CCSJ.exe.10.dr, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: CCSJ.exe.10.dr, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: CCSJ.exe.10.dr, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tWitaq427K.exe, SliderControl.cs Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
Source: znlzneAxBVd.exe.2.dr, SliderControl.cs Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, gVPP59x0g7rK6ZWOvl.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: _0020.SetAccessControl
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: _0020.AddAccessRule
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: _0020.SetAccessControl
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: _0020.AddAccessRule
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, gVPP59x0g7rK6ZWOvl.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, gVPP59x0g7rK6ZWOvl.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: _0020.SetAccessControl
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs Security API names: _0020.AddAccessRule
Source: CCSJ.exe.10.dr Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@34/27@3/3
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 17_2_004182CE
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 16_2_00417952
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 19_2_00410DE1
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 17_2_00418758
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 16_2_0040F474
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 16_2_0041B4A8
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 16_2_0041AA4A
Source: C:\Users\user\Desktop\tWitaq427K.exe File created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Mutant created: \Sessions\1\BaseNamedObjects\BvhBtyDlVbLnqYhZtgyQy
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5368:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Users\user\Desktop\tWitaq427K.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-BW3KDF
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7964
Source: C:\Users\user\Desktop\tWitaq427K.exe File created: C:\Users\user\AppData\Local\Temp\tmp7D5C.tmp Jump to behavior
Source: tWitaq427K.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tWitaq427K.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\tWitaq427K.exe System information queried: HandleInformation
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\tWitaq427K.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tWitaq427K.exe, tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: tWitaq427K.exe, tWitaq427K.exe, 00000012.00000002.1402057840.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: tWitaq427K.exe, tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: tWitaq427K.exe, tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: tWitaq427K.exe, tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: tWitaq427K.exe, 00000011.00000002.1417004183.0000000003041000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: tWitaq427K.exe, tWitaq427K.exe, 00000011.00000002.1415406769.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: tWitaq427K.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\tWitaq427K.exe File read: C:\Users\user\Desktop\tWitaq427K.exe Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\tWitaq427K.exe "C:\Users\user\Desktop\tWitaq427K.exe"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tWitaq427K.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmp7D5C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe "C:\Users\user\Desktop\tWitaq427K.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe C:\Users\user\AppData\Roaming\znlzneAxBVd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmp9076.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\qtoymupgtjxsaaccmaaspxxfkmvim"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\avtqnnaahrpfcgygdlmlsckwtsernvlr"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\dpyb"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\gncx"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\azftvwrumrngvelhzdysqkd"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\youltgrrcajydbitqwajywbyycxy"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\AppData\Local\Temp\CCSJ.exe "C:\Users\user\AppData\Local\Temp\CCSJ.exe"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7964 -s 1876
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tWitaq427K.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmp7D5C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe "C:\Users\user\Desktop\tWitaq427K.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\qtoymupgtjxsaaccmaaspxxfkmvim" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\avtqnnaahrpfcgygdlmlsckwtsernvlr" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\dpyb" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\gncx" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\azftvwrumrngvelhzdysqkd" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\youltgrrcajydbitqwajywbyycxy" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\AppData\Local\Temp\CCSJ.exe "C:\Users\user\AppData\Local\Temp\CCSJ.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmp9076.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tWitaq427K.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe File opened: C:\Users\user\Desktop\tWitaq427K.cfg
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\tWitaq427K.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: tWitaq427K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: tWitaq427K.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: tWitaq427K.exe Static file information: File size 1140744 > 1048576
Source: tWitaq427K.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x111400
Source: tWitaq427K.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: tWitaq427K.exe, PhotoBoothHome.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: znlzneAxBVd.exe.2.dr, PhotoBoothHome.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs .Net Code: MNFJrBJ49X System.Reflection.Assembly.Load(byte[])
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs .Net Code: MNFJrBJ49X System.Reflection.Assembly.Load(byte[])
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs .Net Code: MNFJrBJ49X System.Reflection.Assembly.Load(byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 16_2_0041CB50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_011E5DFF push eax; iretd 2_2_011E5E29
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_011E9C61 push 38051993h; iretd 2_2_011E9C6D
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_0522AC43 push eax; mov dword ptr [esp], edx 2_2_0522AC54
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_052A35BD push ebx; retf 2_2_052A35EA
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_052A35EB push ebx; retf 2_2_052A35EA
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 2_2_052A36D9 push ebx; iretd 2_2_052A36DA
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10002806 push ecx; ret 10_2_10002819
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00457106 push ecx; ret 16_2_00457119
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0045B11A push esp; ret 16_2_0045B141
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0045E54D push esi; ret 16_2_0045E556
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00457A28 push eax; ret 16_2_00457A46
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00434E56 push ecx; ret 16_2_00434E69
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044693D push ecx; ret 17_2_0044694D
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044DB70 push eax; ret 17_2_0044DB84
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0044DB70 push eax; ret 17_2_0044DBAC
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00451D54 push eax; ret 17_2_00451D61
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0044B090 push eax; ret 18_2_0044B0A4
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_0044B090 push eax; ret 18_2_0044B0CC
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00451D34 push eax; ret 18_2_00451D41
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00444E71 push ecx; ret 18_2_00444E81
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00414060 push eax; ret 19_2_00414074
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00414060 push eax; ret 19_2_0041409C
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00414039 push ecx; ret 19_2_00414049
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_004164EB push 0000006Ah; retf 19_2_004165C4
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00416553 push 0000006Ah; retf 19_2_004165C4
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00416555 push 0000006Ah; retf 19_2_004165C4
Source: tWitaq427K.exe Static PE information: section name: .text entropy: 7.954754683206141
Source: znlzneAxBVd.exe.2.dr Static PE information: section name: .text entropy: 7.954754683206141
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, gVPP59x0g7rK6ZWOvl.cs High entropy of concatenated method names: 'b5jRAhRFS2', 'YvGR4nOMMO', 'NdxRl73dVZ', 'MipRtbHrsB', 'fXmRbjFT6c', 'O6OROrOBfO', 'RU6R7BbkJ0', 'RaoRBTGZt7', 'JJFR2UQ3iq', 'TZtRaii9Sb'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, b5Z6ZpMTmYhNDSOPgy.cs High entropy of concatenated method names: 'CcgkmqZxk3', 'ppak8ZSyrZ', 'h6kkruOIyE', 'orckSdQMT6', 'ngdkYtxfSL', 'n1Akvm6oEV', 'a4qkiMblni', 'w1hkLu7Fff', 'tNgMFIBHoepsk8Ka4Th', 'nrsIm6BJU5f9veCD0cL'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, UCLDXKTwALbqw6acgM.cs High entropy of concatenated method names: 'yM7ksBmBTl', 'HndkRkGkKX', 'vTmkZ8trKM', 'gMvkjIaWBs', 'gbsknObfCI', 'DARZb63CaB', 'MfhZOYGnZx', 'L7tZ7hPUrJ', 'JivZByQMkg', 'mMAZ28XhEK'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, Uh7CyXBrKx7CHZBlRH.cs High entropy of concatenated method names: 'UHmGfNv42k', 'muAGRKIIsE', 'L3CG9aBl27', 'E1PGZVddug', 'TEVGk3pHmQ', 'wIVGjebxir', 'wiLGnVOW23', 'CLBGgGNRZT', 'QQEGpNWXvI', 'I72GoVUoA0'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, ot7ccRIYfCGBeI1Nt4.cs High entropy of concatenated method names: 'I9kjfTS8Xx', 'lwjj9w04Sm', 'FWRjkIbkRX', 'PTxkaJQD8J', 'Km6kzeqd0l', 'UOojQg6Ve4', 'i7OjW1pxjC', 'b0WjCJqjab', 'L5bj65aWBm', 'mhJjJS3Imo'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, TfG9VpJWTGHvDMAOW4.cs High entropy of concatenated method names: 'YpRWjVPP59', 'og7WnrK6ZW', 'wkwWpDkSYM', 'JtdWo6aRkg', 'ptWW0vEbCL', 'HXKWUwALbq', 'SyGdN4oX9VAoaRmADl', 'K4q2eu4bVFhxOAbFw4', 'zJvWWjpQ56', 'WD9W61XbPE'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, C9ZsP4lLVd0D38e7iF.cs High entropy of concatenated method names: 'ToString', 'WDEU1wLqk3', 'HHEUdnCIRm', 'qJDUDKOY6F', 'mDSUM7sM6E', 'Ai8UXBHrbM', 'dIJUEQhHyE', 'McGUIpvb6O', 'gXRUcHSxwT', 'ucbU5P1MYa'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, WiwhDEOeobox14JLf2.cs High entropy of concatenated method names: 'QW0yBfccu6', 'B4Sya7iGUa', 'iJZGQfT9D8', 'HE3GWR46Ka', 'V05y1IibIJ', 'Khoy3flCdB', 'gGTyKVU5EZ', 'MBjyAVjeQ4', 'N4wy4hJVax', 'OUjylidDyA'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, fCsRxAWQlGZ1RtPLE5a.cs High entropy of concatenated method names: 'j4SH8ei9ae', 'LSWHq1gOA3', 'vPVHrie5qh', 'cxQHSWHhQm', 'JsQHN1Vjc1', 'Nl2HYLN9ox', 'u5MHvf5PBP', 'fOMHxfnyY8', 'lNZHiZHAXZ', 'zqRHLSnaWy'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, npLGRyAU4LiV4BYMRm.cs High entropy of concatenated method names: 'EcP0FOtUmJ', 'ACc03KItT3', 'ubN0AN8g5R', 'FMx04Zous4', 'zjR0dHBMrw', 'MhS0DJxAC8', 'qT20MYyqDJ', 'f800XOmME2', 'Oss0EVfh8s', 'vO40Ihavxn'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, VwD1A4Krg6ay80AAUQ.cs High entropy of concatenated method names: 'qbZVxjSrcO', 'w07ViddbQE', 'JbGVTLemUj', 'gkyVd77AmV', 'NAsVMQxdmn', 'jgHVXtK9rO', 'tncVIhU4PQ', 'IQvVc1Kj8p', 'fVCVF0xIWc', 'Ax0V1yLvNU'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, YRkgxaL7fs19wUtWvE.cs High entropy of concatenated method names: 'felZN1DGWV', 'bM7Zv1sqCb', 'gAr9DoQKIu', 'UJE9Mv6Kne', 'mKS9XbFkYU', 'LYS9EBAffH', 'uj39IaNKPp', 'Kv09cfOhfr', 'FG5956HejZ', 'IFQ9F7DEmL'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, lWFL1Zax9sOlYCjl2P.cs High entropy of concatenated method names: 'DdpHWTbDRO', 'KRBH6h2vdJ', 'zXUHJQrVqf', 'mbbHfYYLy9', 'xANHRRDxw6', 'MUoHZ5iLSh', 'WWaHk1lj6k', 'O0RG7UYSnU', 'pTcGBqm2pL', 'ufIG2Xg9S6'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, MiBZoGzXoBWkGomNiG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'muYHVTUo6Z', 'p88H0Zhxp3', 'lT7HUyeWvQ', 'zogHyLOKrn', 'TK7HGKkwA5', 'Rh7HHC5oVW', 'IjJHPEkm2i'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, PnUTpiW6WXJMEpReP0D.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MB6PAaKGyY', 'nvcP4FhPis', 'zRRPlEnNtP', 'Q6dPtSmEwS', 'XdVPbWMdS6', 'iwfPOLOEV0', 'uFLP7IIQXi'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, l2l1amikwDkSYMXtd6.cs High entropy of concatenated method names: 'lI29S99lQ7', 'BNi9Ys1CuM', 'Hgt9xZcCnu', 'XB39iTbVIt', 'CAY90IF9lq', 'xpi9UFIu4H', 'rAL9ynlF30', 'Qjt9GIswhG', 'f1S9HckxLr', 'CFW9P57PY4'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, kQAisy255KPRYZ0AXG.cs High entropy of concatenated method names: 'P4IGToaCJd', 'GueGdNPvTn', 'DHsGDrF35t', 'VaDGMP8Lgi', 'AEpGA3o8aE', 'e5EGXFr1uc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, MXbKB5RaqyYt1WWwDP.cs High entropy of concatenated method names: 'Dispose', 'PTEW2NSV7A', 'TiHCdBEVPr', 'HcDqqfoK8s', 'WbhWa7CyXr', 'Qx7WzCHZBl', 'ProcessDialogKey', 'gHnCQQAisy', 'N5KCWPRYZ0', 'QXGCCgWFL1'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, QgxhOK5sxigKaKcO6j.cs High entropy of concatenated method names: 'cG2j8eubCD', 'LedjqDoLR1', 'q4tjrFlSQD', 'RyijS8mdUF', 'QHyjN543vd', 'Gx8jY4C19u', 'GD8jvZxWcA', 'i19jxE001t', 'FjIjiMlDPT', 'SQFjLomEgB'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, tCvJFyCJaxowbDKX1A.cs High entropy of concatenated method names: 'WuyrCR4ii', 'r3VSjpeMF', 'tN8YPqYSd', 'tIgvnJRrK', 'O5Gi1aOSO', 'D84LjCe3k', 'LG6YTMAcligSBlsVSp', 'bkgEXnhhq1ElD9pE2c', 'XdLGjx18M', 'sLmPaacGU'
Source: 2.2.tWitaq427K.exe.5ff0000.6.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs High entropy of concatenated method names: 'sjP6siki0O', 'UlC6fKZmgk', 'Nj36R1ZHHC', 'n9H69Meg9Z', 'Voj6ZscI9o', 'Kok6kqO1mq', 'AsR6jApGAj', 'S4D6nXSNtD', 'pNM6gjcPtm', 'oof6pxaZNP'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, gVPP59x0g7rK6ZWOvl.cs High entropy of concatenated method names: 'b5jRAhRFS2', 'YvGR4nOMMO', 'NdxRl73dVZ', 'MipRtbHrsB', 'fXmRbjFT6c', 'O6OROrOBfO', 'RU6R7BbkJ0', 'RaoRBTGZt7', 'JJFR2UQ3iq', 'TZtRaii9Sb'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, b5Z6ZpMTmYhNDSOPgy.cs High entropy of concatenated method names: 'CcgkmqZxk3', 'ppak8ZSyrZ', 'h6kkruOIyE', 'orckSdQMT6', 'ngdkYtxfSL', 'n1Akvm6oEV', 'a4qkiMblni', 'w1hkLu7Fff', 'tNgMFIBHoepsk8Ka4Th', 'nrsIm6BJU5f9veCD0cL'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, UCLDXKTwALbqw6acgM.cs High entropy of concatenated method names: 'yM7ksBmBTl', 'HndkRkGkKX', 'vTmkZ8trKM', 'gMvkjIaWBs', 'gbsknObfCI', 'DARZb63CaB', 'MfhZOYGnZx', 'L7tZ7hPUrJ', 'JivZByQMkg', 'mMAZ28XhEK'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, Uh7CyXBrKx7CHZBlRH.cs High entropy of concatenated method names: 'UHmGfNv42k', 'muAGRKIIsE', 'L3CG9aBl27', 'E1PGZVddug', 'TEVGk3pHmQ', 'wIVGjebxir', 'wiLGnVOW23', 'CLBGgGNRZT', 'QQEGpNWXvI', 'I72GoVUoA0'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, ot7ccRIYfCGBeI1Nt4.cs High entropy of concatenated method names: 'I9kjfTS8Xx', 'lwjj9w04Sm', 'FWRjkIbkRX', 'PTxkaJQD8J', 'Km6kzeqd0l', 'UOojQg6Ve4', 'i7OjW1pxjC', 'b0WjCJqjab', 'L5bj65aWBm', 'mhJjJS3Imo'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, TfG9VpJWTGHvDMAOW4.cs High entropy of concatenated method names: 'YpRWjVPP59', 'og7WnrK6ZW', 'wkwWpDkSYM', 'JtdWo6aRkg', 'ptWW0vEbCL', 'HXKWUwALbq', 'SyGdN4oX9VAoaRmADl', 'K4q2eu4bVFhxOAbFw4', 'zJvWWjpQ56', 'WD9W61XbPE'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, C9ZsP4lLVd0D38e7iF.cs High entropy of concatenated method names: 'ToString', 'WDEU1wLqk3', 'HHEUdnCIRm', 'qJDUDKOY6F', 'mDSUM7sM6E', 'Ai8UXBHrbM', 'dIJUEQhHyE', 'McGUIpvb6O', 'gXRUcHSxwT', 'ucbU5P1MYa'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, WiwhDEOeobox14JLf2.cs High entropy of concatenated method names: 'QW0yBfccu6', 'B4Sya7iGUa', 'iJZGQfT9D8', 'HE3GWR46Ka', 'V05y1IibIJ', 'Khoy3flCdB', 'gGTyKVU5EZ', 'MBjyAVjeQ4', 'N4wy4hJVax', 'OUjylidDyA'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, fCsRxAWQlGZ1RtPLE5a.cs High entropy of concatenated method names: 'j4SH8ei9ae', 'LSWHq1gOA3', 'vPVHrie5qh', 'cxQHSWHhQm', 'JsQHN1Vjc1', 'Nl2HYLN9ox', 'u5MHvf5PBP', 'fOMHxfnyY8', 'lNZHiZHAXZ', 'zqRHLSnaWy'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, npLGRyAU4LiV4BYMRm.cs High entropy of concatenated method names: 'EcP0FOtUmJ', 'ACc03KItT3', 'ubN0AN8g5R', 'FMx04Zous4', 'zjR0dHBMrw', 'MhS0DJxAC8', 'qT20MYyqDJ', 'f800XOmME2', 'Oss0EVfh8s', 'vO40Ihavxn'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, VwD1A4Krg6ay80AAUQ.cs High entropy of concatenated method names: 'qbZVxjSrcO', 'w07ViddbQE', 'JbGVTLemUj', 'gkyVd77AmV', 'NAsVMQxdmn', 'jgHVXtK9rO', 'tncVIhU4PQ', 'IQvVc1Kj8p', 'fVCVF0xIWc', 'Ax0V1yLvNU'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, YRkgxaL7fs19wUtWvE.cs High entropy of concatenated method names: 'felZN1DGWV', 'bM7Zv1sqCb', 'gAr9DoQKIu', 'UJE9Mv6Kne', 'mKS9XbFkYU', 'LYS9EBAffH', 'uj39IaNKPp', 'Kv09cfOhfr', 'FG5956HejZ', 'IFQ9F7DEmL'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, lWFL1Zax9sOlYCjl2P.cs High entropy of concatenated method names: 'DdpHWTbDRO', 'KRBH6h2vdJ', 'zXUHJQrVqf', 'mbbHfYYLy9', 'xANHRRDxw6', 'MUoHZ5iLSh', 'WWaHk1lj6k', 'O0RG7UYSnU', 'pTcGBqm2pL', 'ufIG2Xg9S6'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, MiBZoGzXoBWkGomNiG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'muYHVTUo6Z', 'p88H0Zhxp3', 'lT7HUyeWvQ', 'zogHyLOKrn', 'TK7HGKkwA5', 'Rh7HHC5oVW', 'IjJHPEkm2i'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, PnUTpiW6WXJMEpReP0D.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MB6PAaKGyY', 'nvcP4FhPis', 'zRRPlEnNtP', 'Q6dPtSmEwS', 'XdVPbWMdS6', 'iwfPOLOEV0', 'uFLP7IIQXi'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, l2l1amikwDkSYMXtd6.cs High entropy of concatenated method names: 'lI29S99lQ7', 'BNi9Ys1CuM', 'Hgt9xZcCnu', 'XB39iTbVIt', 'CAY90IF9lq', 'xpi9UFIu4H', 'rAL9ynlF30', 'Qjt9GIswhG', 'f1S9HckxLr', 'CFW9P57PY4'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, kQAisy255KPRYZ0AXG.cs High entropy of concatenated method names: 'P4IGToaCJd', 'GueGdNPvTn', 'DHsGDrF35t', 'VaDGMP8Lgi', 'AEpGA3o8aE', 'e5EGXFr1uc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, MXbKB5RaqyYt1WWwDP.cs High entropy of concatenated method names: 'Dispose', 'PTEW2NSV7A', 'TiHCdBEVPr', 'HcDqqfoK8s', 'WbhWa7CyXr', 'Qx7WzCHZBl', 'ProcessDialogKey', 'gHnCQQAisy', 'N5KCWPRYZ0', 'QXGCCgWFL1'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, QgxhOK5sxigKaKcO6j.cs High entropy of concatenated method names: 'cG2j8eubCD', 'LedjqDoLR1', 'q4tjrFlSQD', 'RyijS8mdUF', 'QHyjN543vd', 'Gx8jY4C19u', 'GD8jvZxWcA', 'i19jxE001t', 'FjIjiMlDPT', 'SQFjLomEgB'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, tCvJFyCJaxowbDKX1A.cs High entropy of concatenated method names: 'WuyrCR4ii', 'r3VSjpeMF', 'tN8YPqYSd', 'tIgvnJRrK', 'O5Gi1aOSO', 'D84LjCe3k', 'LG6YTMAcligSBlsVSp', 'bkgEXnhhq1ElD9pE2c', 'XdLGjx18M', 'sLmPaacGU'
Source: 2.2.tWitaq427K.exe.4144db0.1.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs High entropy of concatenated method names: 'sjP6siki0O', 'UlC6fKZmgk', 'Nj36R1ZHHC', 'n9H69Meg9Z', 'Voj6ZscI9o', 'Kok6kqO1mq', 'AsR6jApGAj', 'S4D6nXSNtD', 'pNM6gjcPtm', 'oof6pxaZNP'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, gVPP59x0g7rK6ZWOvl.cs High entropy of concatenated method names: 'b5jRAhRFS2', 'YvGR4nOMMO', 'NdxRl73dVZ', 'MipRtbHrsB', 'fXmRbjFT6c', 'O6OROrOBfO', 'RU6R7BbkJ0', 'RaoRBTGZt7', 'JJFR2UQ3iq', 'TZtRaii9Sb'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, b5Z6ZpMTmYhNDSOPgy.cs High entropy of concatenated method names: 'CcgkmqZxk3', 'ppak8ZSyrZ', 'h6kkruOIyE', 'orckSdQMT6', 'ngdkYtxfSL', 'n1Akvm6oEV', 'a4qkiMblni', 'w1hkLu7Fff', 'tNgMFIBHoepsk8Ka4Th', 'nrsIm6BJU5f9veCD0cL'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, UCLDXKTwALbqw6acgM.cs High entropy of concatenated method names: 'yM7ksBmBTl', 'HndkRkGkKX', 'vTmkZ8trKM', 'gMvkjIaWBs', 'gbsknObfCI', 'DARZb63CaB', 'MfhZOYGnZx', 'L7tZ7hPUrJ', 'JivZByQMkg', 'mMAZ28XhEK'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, Uh7CyXBrKx7CHZBlRH.cs High entropy of concatenated method names: 'UHmGfNv42k', 'muAGRKIIsE', 'L3CG9aBl27', 'E1PGZVddug', 'TEVGk3pHmQ', 'wIVGjebxir', 'wiLGnVOW23', 'CLBGgGNRZT', 'QQEGpNWXvI', 'I72GoVUoA0'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, ot7ccRIYfCGBeI1Nt4.cs High entropy of concatenated method names: 'I9kjfTS8Xx', 'lwjj9w04Sm', 'FWRjkIbkRX', 'PTxkaJQD8J', 'Km6kzeqd0l', 'UOojQg6Ve4', 'i7OjW1pxjC', 'b0WjCJqjab', 'L5bj65aWBm', 'mhJjJS3Imo'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, TfG9VpJWTGHvDMAOW4.cs High entropy of concatenated method names: 'YpRWjVPP59', 'og7WnrK6ZW', 'wkwWpDkSYM', 'JtdWo6aRkg', 'ptWW0vEbCL', 'HXKWUwALbq', 'SyGdN4oX9VAoaRmADl', 'K4q2eu4bVFhxOAbFw4', 'zJvWWjpQ56', 'WD9W61XbPE'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, C9ZsP4lLVd0D38e7iF.cs High entropy of concatenated method names: 'ToString', 'WDEU1wLqk3', 'HHEUdnCIRm', 'qJDUDKOY6F', 'mDSUM7sM6E', 'Ai8UXBHrbM', 'dIJUEQhHyE', 'McGUIpvb6O', 'gXRUcHSxwT', 'ucbU5P1MYa'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, WiwhDEOeobox14JLf2.cs High entropy of concatenated method names: 'QW0yBfccu6', 'B4Sya7iGUa', 'iJZGQfT9D8', 'HE3GWR46Ka', 'V05y1IibIJ', 'Khoy3flCdB', 'gGTyKVU5EZ', 'MBjyAVjeQ4', 'N4wy4hJVax', 'OUjylidDyA'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, fCsRxAWQlGZ1RtPLE5a.cs High entropy of concatenated method names: 'j4SH8ei9ae', 'LSWHq1gOA3', 'vPVHrie5qh', 'cxQHSWHhQm', 'JsQHN1Vjc1', 'Nl2HYLN9ox', 'u5MHvf5PBP', 'fOMHxfnyY8', 'lNZHiZHAXZ', 'zqRHLSnaWy'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, npLGRyAU4LiV4BYMRm.cs High entropy of concatenated method names: 'EcP0FOtUmJ', 'ACc03KItT3', 'ubN0AN8g5R', 'FMx04Zous4', 'zjR0dHBMrw', 'MhS0DJxAC8', 'qT20MYyqDJ', 'f800XOmME2', 'Oss0EVfh8s', 'vO40Ihavxn'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, VwD1A4Krg6ay80AAUQ.cs High entropy of concatenated method names: 'qbZVxjSrcO', 'w07ViddbQE', 'JbGVTLemUj', 'gkyVd77AmV', 'NAsVMQxdmn', 'jgHVXtK9rO', 'tncVIhU4PQ', 'IQvVc1Kj8p', 'fVCVF0xIWc', 'Ax0V1yLvNU'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, YRkgxaL7fs19wUtWvE.cs High entropy of concatenated method names: 'felZN1DGWV', 'bM7Zv1sqCb', 'gAr9DoQKIu', 'UJE9Mv6Kne', 'mKS9XbFkYU', 'LYS9EBAffH', 'uj39IaNKPp', 'Kv09cfOhfr', 'FG5956HejZ', 'IFQ9F7DEmL'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, lWFL1Zax9sOlYCjl2P.cs High entropy of concatenated method names: 'DdpHWTbDRO', 'KRBH6h2vdJ', 'zXUHJQrVqf', 'mbbHfYYLy9', 'xANHRRDxw6', 'MUoHZ5iLSh', 'WWaHk1lj6k', 'O0RG7UYSnU', 'pTcGBqm2pL', 'ufIG2Xg9S6'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, MiBZoGzXoBWkGomNiG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'muYHVTUo6Z', 'p88H0Zhxp3', 'lT7HUyeWvQ', 'zogHyLOKrn', 'TK7HGKkwA5', 'Rh7HHC5oVW', 'IjJHPEkm2i'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, PnUTpiW6WXJMEpReP0D.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MB6PAaKGyY', 'nvcP4FhPis', 'zRRPlEnNtP', 'Q6dPtSmEwS', 'XdVPbWMdS6', 'iwfPOLOEV0', 'uFLP7IIQXi'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, l2l1amikwDkSYMXtd6.cs High entropy of concatenated method names: 'lI29S99lQ7', 'BNi9Ys1CuM', 'Hgt9xZcCnu', 'XB39iTbVIt', 'CAY90IF9lq', 'xpi9UFIu4H', 'rAL9ynlF30', 'Qjt9GIswhG', 'f1S9HckxLr', 'CFW9P57PY4'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, kQAisy255KPRYZ0AXG.cs High entropy of concatenated method names: 'P4IGToaCJd', 'GueGdNPvTn', 'DHsGDrF35t', 'VaDGMP8Lgi', 'AEpGA3o8aE', 'e5EGXFr1uc', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, MXbKB5RaqyYt1WWwDP.cs High entropy of concatenated method names: 'Dispose', 'PTEW2NSV7A', 'TiHCdBEVPr', 'HcDqqfoK8s', 'WbhWa7CyXr', 'Qx7WzCHZBl', 'ProcessDialogKey', 'gHnCQQAisy', 'N5KCWPRYZ0', 'QXGCCgWFL1'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, QgxhOK5sxigKaKcO6j.cs High entropy of concatenated method names: 'cG2j8eubCD', 'LedjqDoLR1', 'q4tjrFlSQD', 'RyijS8mdUF', 'QHyjN543vd', 'Gx8jY4C19u', 'GD8jvZxWcA', 'i19jxE001t', 'FjIjiMlDPT', 'SQFjLomEgB'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, tCvJFyCJaxowbDKX1A.cs High entropy of concatenated method names: 'WuyrCR4ii', 'r3VSjpeMF', 'tN8YPqYSd', 'tIgvnJRrK', 'O5Gi1aOSO', 'D84LjCe3k', 'LG6YTMAcligSBlsVSp', 'bkgEXnhhq1ElD9pE2c', 'XdLGjx18M', 'sLmPaacGU'
Source: 2.2.tWitaq427K.exe.408a590.3.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs High entropy of concatenated method names: 'sjP6siki0O', 'UlC6fKZmgk', 'Nj36R1ZHHC', 'n9H69Meg9Z', 'Voj6ZscI9o', 'Kok6kqO1mq', 'AsR6jApGAj', 'S4D6nXSNtD', 'pNM6gjcPtm', 'oof6pxaZNP'
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 16_2_00406EB0
Drops PE files
Source: C:\Users\user\Desktop\tWitaq427K.exe File created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Jump to dropped file
Source: C:\Users\user\Desktop\tWitaq427K.exe File created: C:\Users\user\AppData\Local\Temp\CCSJ.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmp7D5C.tmp"
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 16_2_0041AA4A

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 16_2_0041CB50
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR
Delayed program exit found
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040F7A7 Sleep,ExitProcess, 16_2_0040F7A7
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: 11C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: 2C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: 4C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: 61F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: 71F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: 7330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: 8330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Memory allocated: 1040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Memory allocated: 2AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Memory allocated: 4AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Memory allocated: 6000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Memory allocated: 7000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Memory allocated: 7140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Memory allocated: 8140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Memory allocated: 1070000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Memory allocated: 2D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Memory allocated: 1330000 memory reserve | memory write watch
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 17_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 16_2_0041A748
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\tWitaq427K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9068 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 492 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8740 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 522 Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Window / User API: threadDelayed 9303 Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Window / User API: foregroundWindowGot 1762 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Window / User API: threadDelayed 6468
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe API coverage: 6.0 %
Source: C:\Users\user\Desktop\tWitaq427K.exe API coverage: 9.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\tWitaq427K.exe TID: 7488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7956 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7948 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe TID: 8000 Thread sleep time: -112000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe TID: 8004 Thread sleep time: -579000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe TID: 8004 Thread sleep time: -27909000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe TID: 8064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 7152 Thread sleep count: 6468 > 30
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 7152 Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99215s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98140s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97921s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97702s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -97033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -96906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -96796s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -96687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -96578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -96442s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -96309s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe TID: 2580 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_100010F1
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10006580 FindFirstFileExA, 10_2_10006580
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 16_2_00409253
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 16_2_0041C291
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 16_2_0040C34D
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 16_2_00409665
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0044E879 FindFirstFileExA, 16_2_0044E879
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 16_2_0040880C
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040783C FindFirstFileW,FindNextFileW, 16_2_0040783C
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 16_2_00419AF5
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 16_2_0040BB30
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 16_2_0040BD37
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW, 17_2_0040AE51
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 18_2_00407EF8
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_00407898
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 16_2_00407C97
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_00418981 memset,GetSystemInfo, 17_2_00418981
Source: C:\Users\user\Desktop\tWitaq427K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99215
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98875
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98708
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98140
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97921
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97702
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97593
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97265
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97156
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 97033
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 96906
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 96796
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 96687
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 96578
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 96442
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 96309
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Thread delayed: delay time: 922337203685477
Source: Amcache.hve.32.dr Binary or memory string: VMware
Source: CCSJ.exe, 0000001C.00000002.3795462306.0000000001146000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: Amcache.hve.32.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.32.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.32.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.32.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.32.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.32.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.32.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.32.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.32.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.32.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.32.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.32.dr Binary or memory string: vmci.sys
Source: Amcache.hve.32.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.32.dr Binary or memory string: \driver\vmci,\driver\pci
Source: znlzneAxBVd.exe, 0000000B.00000002.1426333799.0000000005554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Amcache.hve.32.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.32.dr Binary or memory string: VMware20,1
Source: Amcache.hve.32.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.32.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.32.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.32.dr Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.32.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.32.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.32.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.32.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.32.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.32.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.32.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.32.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\tWitaq427K.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\tWitaq427K.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\tWitaq427K.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_100060E2
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 17_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 16_2_0041CB50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10004AB4 mov eax, dword ptr fs:[00000030h] 10_2_10004AB4
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004432B5 mov eax, dword ptr fs:[00000030h] 16_2_004432B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_1000724E GetProcessHeap, 10_2_1000724E
Enables debug privileges
Source: C:\Users\user\Desktop\tWitaq427K.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\tWitaq427K.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_100060E2
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_10002639
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_10002B1C
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_004349F9
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00434B47 SetUnhandledExceptionFilter, 16_2_00434B47
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0043BB22
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00434FDC
Source: C:\Users\user\Desktop\tWitaq427K.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tWitaq427K.exe"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tWitaq427K.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: NULL target: C:\Users\user\Desktop\tWitaq427K.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: NULL target: C:\Users\user\Desktop\tWitaq427K.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: NULL target: C:\Users\user\Desktop\tWitaq427K.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: NULL target: C:\Users\user\Desktop\tWitaq427K.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: NULL target: C:\Users\user\Desktop\tWitaq427K.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Section loaded: NULL target: C:\Users\user\Desktop\tWitaq427K.exe protection: execute and read and write Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 16_2_004120F7
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00419627 mouse_event, 16_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tWitaq427K.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmp7D5C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe "C:\Users\user\Desktop\tWitaq427K.exe" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\qtoymupgtjxsaaccmaaspxxfkmvim" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\avtqnnaahrpfcgygdlmlsckwtsernvlr" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\dpyb" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\gncx" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\azftvwrumrngvelhzdysqkd" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\Desktop\tWitaq427K.exe C:\Users\user\Desktop\tWitaq427K.exe /stext "C:\Users\user\AppData\Local\Temp\youltgrrcajydbitqwajywbyycxy" Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Process created: C:\Users\user\AppData\Local\Temp\CCSJ.exe "C:\Users\user\AppData\Local\Temp\CCSJ.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmp9076.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Process created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" Jump to behavior
Source: tWitaq427K.exe, 0000000A.00000002.3618904447.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerF
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerDF\er[
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 0000000A.00000002.3620454734.0000000004675000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, tWitaq427K.exe, 0000000A.00000002.3619998946.0000000003EC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerDF\
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerDF\M
Source: tWitaq427K.exe, 0000000A.00000002.3618789433.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manageranager
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerDF\er
Source: tWitaq427K.exe, 0000000A.00000002.3618904447.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerDF\er'
Source: tWitaq427K.exe, 0000000A.00000002.3618904447.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager}
Source: tWitaq427K.exe, 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, logs.dat.10.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10002933 cpuid 10_2_10002933
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: EnumSystemLocalesW, 16_2_00452036
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 16_2_004520C3
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetLocaleInfoW, 16_2_00452313
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: EnumSystemLocalesW, 16_2_00448404
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 16_2_0045243C
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetLocaleInfoW, 16_2_00452543
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 16_2_00452610
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetLocaleInfoA, 16_2_0040F8D1
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: GetLocaleInfoW, 16_2_004488ED
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 16_2_00451CD8
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: EnumSystemLocalesW, 16_2_00451F50
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: EnumSystemLocalesW, 16_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\tWitaq427K.exe Queries volume information: C:\Users\user\Desktop\tWitaq427K.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Queries volume information: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tWitaq427K.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\tWitaq427K.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Queries volume information: C:\Users\user\AppData\Local\Temp\CCSJ.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 10_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 10_2_10002264
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_0041B60D GetUserNameW, 16_2_0041B60D
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: 16_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 16_2_00449190
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: 17_2_0041739B GetVersionExW, 17_2_0041739B
Source: C:\Users\user\Desktop\tWitaq427K.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.32.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.32.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.32.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.32.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.32.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 28.0.CCSJ.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.3798002095.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3798002095.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.3251132725.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3798002095.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CCSJ.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\CCSJ.exe, type: DROPPED
Yara detected Remcos RAT
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1407193789.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3619364298.000000000299F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 16_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 16_2_0040BB30
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: \key3.db 16_2_0040BB30
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\tWitaq427K.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\tWitaq427K.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Users\user\Desktop\tWitaq427K.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\tWitaq427K.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\CCSJ.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: ESMTPPassword 18_2_004033F0
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 18_2_00402DB3
Source: C:\Users\user\Desktop\tWitaq427K.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 18_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 6472, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 28.0.CCSJ.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000000.3251132725.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3798002095.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CCSJ.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\CCSJ.exe, type: DROPPED

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\tWitaq427K.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-BW3KDF Jump to behavior
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-BW3KDF
Yara detected AgentTesla
Source: Yara match File source: 28.0.CCSJ.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.3798002095.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3798002095.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.3251132725.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.3798002095.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CCSJ.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\CCSJ.exe, type: DROPPED
Yara detected Remcos RAT
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.tWitaq427K.exe.3d54be0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3bc5828.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.znlzneAxBVd.exe.3b4cc08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.1407193789.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3619364298.000000000299F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3618263040.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1399322984.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1423814962.0000000003B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1377599355.0000000003CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tWitaq427K.exe PID: 7964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 8028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: znlzneAxBVd.exe PID: 3168, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe Code function: cmd.exe 16_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465385 Sample: tWitaq427K.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 64 smtp.yandex.com 2->64 66 antfly50.sytes.net 2->66 68 2 other IPs or domains 2->68 84 Found malware configuration 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for URL or domain 2->88 90 15 other signatures 2->90 8 tWitaq427K.exe 7 2->8         started        12 znlzneAxBVd.exe 5 2->12         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\znlzneAxBVd.exe, PE32 8->50 dropped 52 C:\Users\...\znlzneAxBVd.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\user\AppData\Local\...\tmp7D5C.tmp, XML 8->54 dropped 56 C:\Users\user\AppData\...\tWitaq427K.exe.log, ASCII 8->56 dropped 92 Tries to steal Mail credentials (via file registry) 8->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 8->94 96 Adds a directory exclusion to Windows Defender 8->96 14 tWitaq427K.exe 3 17 8->14         started        19 powershell.exe 23 8->19         started        21 powershell.exe 23 8->21         started        23 schtasks.exe 1 8->23         started        98 Antivirus detection for dropped file 12->98 100 Multi AV Scanner detection for dropped file 12->100 102 Contains functionality to bypass UAC (CMSTPLUA) 12->102 104 6 other signatures 12->104 25 znlzneAxBVd.exe 12->25         started        27 schtasks.exe 12->27         started        signatures6 process7 dnsIp8 72 antfly50.sytes.net 80.85.154.121, 1980, 49711, 49713 CHELYABINSK-SIGNAL-ASRU Russian Federation 14->72 74 geoplugin.net 178.237.33.50, 49714, 80 ATOM86-ASATOM86NL Netherlands 14->74 58 C:\Users\user\AppData\Local\Temp\CCSJ.exe, PE32 14->58 dropped 60 C:\ProgramData\remcos\logs.dat, data 14->60 dropped 76 Detected Remcos RAT 14->76 78 Maps a DLL or memory area into another process 14->78 80 Installs a global keyboard hook 14->80 29 CCSJ.exe 14->29         started        33 tWitaq427K.exe 14->33         started        35 tWitaq427K.exe 14->35         started        47 5 other processes 14->47 82 Loading BitLocker PowerShell Module 19->82 37 conhost.exe 19->37         started        39 WmiPrvSE.exe 19->39         started        41 conhost.exe 21->41         started        43 conhost.exe 23->43         started        45 conhost.exe 27->45         started        file9 signatures10 process11 dnsIp12 70 smtp.yandex.ru 77.88.21.158, 49727, 587 YANDEXRU Russian Federation 29->70 106 Antivirus detection for dropped file 29->106 108 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->108 110 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 29->110 118 2 other signatures 29->118 112 Tries to steal Instant Messenger accounts or passwords 33->112 114 Tries to steal Mail credentials (via file / registry access) 33->114 62 C:\ProgramData\Microsoft\...\Report.wer, Unicode 47->62 dropped 116 Tries to harvest and steal browser information (history, passwords, etc) 47->116 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.85.154.121
 antfly50.sytes.net Russian Federation
44493 CHELYABINSK-SIGNAL-ASRU true
77.88.21.158
 smtp.yandex.ru Russian Federation
13238 YANDEXRU false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
antfly50.sytes.net 80.85.154.121 true
smtp.yandex.ru 77.88.21.158 true
geoplugin.net 178.237.33.50 true
smtp.yandex.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
antfly50.sytes.net true
  • Avira URL Cloud: malware
 unknown