Windows Analysis Report
2024.scr.exe

Overview

General Information

Sample name: 2024.scr.exe
renamed because original name is a hash value
Original sample name: 02.07.2024.scr.exe
Analysis ID: 1466662
MD5: 225eafff6079cb1e726bc1ff4255225c
SHA1: 8c49f04cb44e11d6d121a10aa2d943f4fdbfd9b6
SHA256: 123a6e0ffbf48e1136e15e255e9eed03e7524b1999f4afb480ea59ba9ddf225d
Tags: AgentTeslaexescr
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 7.2.Logon32.exe.40c9058.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "login112004@yandex.com", "Password": "okmabejemqjzazob"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Virustotal: Detection: 46% Perma Link
Multi AV Scanner detection for submitted file
Source: 2024.scr.exe ReversingLabs: Detection: 60%
Source: 2024.scr.exe Virustotal: Detection: 46% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 2024.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 2024.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: 2024.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: NHFC.pdb source: 2024.scr.exe, Logon32.exe.4.dr
Source: Binary string: NHFC.pdbSHA256 source: 2024.scr.exe, Logon32.exe.4.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4x nop then jmp 0CEE33C0h 0_2_0CEE2B62

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 7.2.Logon32.exe.40c9058.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.408d238.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.376c328.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3bf64d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3c322f8.1.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49718 -> 77.88.21.158:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 77.88.21.158 77.88.21.158
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49718 -> 77.88.21.158:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: smtp.yandex.com
Source: 2024.scr.exe, Logon32.exe.4.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 2024.scr.exe, Logon32.exe.4.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Logon32.exe, 0000000D.00000002.4650633138.0000000006C05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.gl
Source: Logon32.exe, 0000000D.00000002.4617751174.000000000146A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.glC
Source: Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.glH
Source: Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsrsaovsslca201
Source: 2024.scr.exe, 00000004.00000002.4662885949.0000000008DF0000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642620209.000000000696E000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4640662793.0000000006918000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.0000000001653000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003635000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003710000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
Source: Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ro
Source: 2024.scr.exe, 00000004.00000002.4662885949.0000000008DF0000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642620209.000000000696E000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4663337495.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4640662793.00000000068C4000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662637580.0000000008DE2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662101959.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DAB000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662420241.0000000008DB8000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4616583342.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4663337495.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DAB000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4616583342.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642492941.0000000006966000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.0000000001653000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4646328283.0000000006E36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: Logon32.exe, 00000008.00000002.4619569539.0000000003621000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: 2024.scr.exe, 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003621000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4606513178.0000000000436000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: 2024.scr.exe, Logon32.exe.4.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: 2024.scr.exe, 00000004.00000002.4662885949.0000000008DF0000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642620209.000000000696E000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4640662793.0000000006918000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.0000000001653000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003635000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
Source: 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4663337495.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DAB000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4616583342.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642492941.0000000006966000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.0000000001653000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009D74000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4646328283.0000000006E36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642620209.000000000696E000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4663337495.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4640662793.00000000068C4000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662637580.0000000008DE2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662101959.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DAB000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662420241.0000000008DB8000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4616583342.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 2024.scr.exe, 00000000.00000002.2149694869.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000007.00000002.2290264143.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000C.00000002.2368962846.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.0000000003091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globals
Source: 2024.scr.exe, 00000004.00000002.4662885949.0000000008DF0000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642620209.000000000696E000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4640662793.0000000006918000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.0000000001653000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003635000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4654364740.0000000009DFD000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000037CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
Source: 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000038B6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000039B2000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003A6E000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000037CA000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003AFD000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.00000000032F3000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.000000000351E000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.0000000003285000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.0000000003470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.yandex.com
Source: 2024.scr.exe, 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4606483349.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Logon32.exe, 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: 2024.scr.exe, 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4605586625.0000000000435000.00000040.00000400.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.00000000035DC000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.0000000003091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Logon32.exe, 00000008.00000002.4619569539.00000000035DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Logon32.exe, 00000008.00000002.4619569539.00000000035DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: 2024.scr.exe, Logon32.exe.4.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: Logon32.exe, 00000008.00000002.4610287684.000000000162D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repos
Source: 2024.scr.exe, 00000004.00000002.4662885949.0000000008DF0000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000301A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003210000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642620209.000000000696E000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4663337495.0000000008E44000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4640662793.00000000068C4000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662637580.0000000008DE2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DA2000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662101959.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4613926910.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662227654.0000000008DAB000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4662420241.0000000008DB8000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4640662793.0000000006918000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4616583342.0000000001125000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4642492941.0000000006966000.00000004.00000020.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000003190000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, R1W.cs .Net Code: OG9vqkCc
Source: 0.2.2024.scr.exe.376c328.3.raw.unpack, R1W.cs .Net Code: OG9vqkCc
Installs a global keyboard hook
Source: C:\Users\user\Desktop\2024.scr.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\2024.scr.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Logon32\Logon32.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\2024.scr.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window created: window name: CLIPBRDWNDCLASS
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06DD8D59 GetKeyState,GetKeyState,GetKeyState, 4_2_06DD8D59
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06DD8D68 GetKeyState,GetKeyState,GetKeyState, 4_2_06DD8D68

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.2024.scr.exe.376c328.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.Logon32.exe.408d238.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.Logon32.exe.3bf64d8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.Logon32.exe.3c322f8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.Logon32.exe.40c9058.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2024.scr.exe.37a8148.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.Logon32.exe.40c9058.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.Logon32.exe.408d238.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.2024.scr.exe.376c328.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.Logon32.exe.3bf64d8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.Logon32.exe.3c322f8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.2024.scr.exe.7330000.4.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
.NET source code contains very large strings
Source: 2024.scr.exe, frm_login.cs Long String: Length: 97210
Source: Logon32.exe.4.dr, frm_login.cs Long String: Length: 97210
Detected potential crypto function
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_00D6D5BC 0_2_00D6D5BC
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C32548 0_2_05C32548
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C3F510 0_2_05C3F510
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C32538 0_2_05C32538
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C36718 0_2_05C36718
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C36728 0_2_05C36728
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C326DB 0_2_05C326DB
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C36168 0_2_05C36168
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C36178 0_2_05C36178
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C34CAB 0_2_05C34CAB
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C36F80 0_2_05C36F80
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C36F88 0_2_05C36F88
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C32E7B 0_2_05C32E7B
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C309E8 0_2_05C309E8
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C309F8 0_2_05C309F8
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C3F948 0_2_05C3F948
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_0CEE4B70 0_2_0CEE4B70
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CA4248 4_2_02CA4248
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CAC208 4_2_02CAC208
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CAF550 4_2_02CAF550
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CABA38 4_2_02CABA38
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CA4B18 4_2_02CA4B18
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CA3F00 4_2_02CA3F00
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D66780 4_2_06D66780
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D6B3B8 4_2_06D6B3B8
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D65358 4_2_06D65358
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D6C308 4_2_06D6C308
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D67F08 4_2_06D67F08
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D62418 4_2_06D62418
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D65A78 4_2_06D65A78
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D60040 4_2_06D60040
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D67828 4_2_06D67828
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D6E528 4_2_06D6E528
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06DD6778 4_2_06DD6778
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06DDE8C0 4_2_06DDE8C0
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06DDE8B0 4_2_06DDE8B0
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06DD12F0 4_2_06DD12F0
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_06D60011 4_2_06D60011
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 7_2_016BD5BC 7_2_016BD5BC
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 7_2_05506C00 7_2_05506C00
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 7_2_05500040 7_2_05500040
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 7_2_05500006 7_2_05500006
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 7_2_05506BF0 7_2_05506BF0
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 7_2_0D254838 7_2_0D254838
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B14248 8_2_01B14248
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B1F628 8_2_01B1F628
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B14B18 8_2_01B14B18
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B1BC00 8_2_01B1BC00
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B13F00 8_2_01B13F00
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B1EF48 8_2_01B1EF48
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07317420 8_2_07317420
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07312418 8_2_07312418
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_0731C310 8_2_0731C310
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07317B00 8_2_07317B00
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07316378 8_2_07316378
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07315358 8_2_07315358
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_0731B3C0 8_2_0731B3C0
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07315A78 8_2_07315A78
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_0731E530 8_2_0731E530
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07310040 8_2_07310040
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_07310007 8_2_07310007
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 12_2_029CD5BC 12_2_029CD5BC
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_01384248 13_2_01384248
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138F628 13_2_0138F628
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_01384B18 13_2_01384B18
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138BCC0 13_2_0138BCC0
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_01383F00 13_2_01383F00
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138EF48 13_2_0138EF48
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07047B00 13_2_07047B00
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0704C310 13_2_0704C310
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07045358 13_2_07045358
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07046378 13_2_07046378
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0704B3C0 13_2_0704B3C0
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07042418 13_2_07042418
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07045A78 13_2_07045A78
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0704E530 13_2_0704E530
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07047420 13_2_07047420
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07040040 13_2_07040040
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_07040006 13_2_07040006
PE / OLE file has an invalid certificate
Source: 2024.scr.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 2024.scr.exe, 00000000.00000000.2132045205.0000000000386000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNHFC.exe vs 2024.scr.exe
Source: 2024.scr.exe, 00000000.00000002.2151973804.0000000004141000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 2024.scr.exe
Source: 2024.scr.exe, 00000000.00000002.2157916793.0000000007330000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs 2024.scr.exe
Source: 2024.scr.exe, 00000000.00000002.2158432216.000000000D1C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 2024.scr.exe
Source: 2024.scr.exe, 00000000.00000002.2148166248.00000000007AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 2024.scr.exe
Source: 2024.scr.exe, 00000000.00000002.2149694869.00000000026D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename3a9f97cf-06b5-46de-807e-132d396f6890.exe4 vs 2024.scr.exe
Source: 2024.scr.exe, 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename3a9f97cf-06b5-46de-807e-132d396f6890.exe4 vs 2024.scr.exe
Source: 2024.scr.exe, 00000004.00000002.4609545898.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 2024.scr.exe
Source: 2024.scr.exe Binary or memory string: OriginalFilenameNHFC.exe vs 2024.scr.exe
Uses 32bit PE files
Source: 2024.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.2024.scr.exe.376c328.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.Logon32.exe.408d238.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.Logon32.exe.3bf64d8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.Logon32.exe.3c322f8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.Logon32.exe.40c9058.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2024.scr.exe.37a8148.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.Logon32.exe.40c9058.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.Logon32.exe.408d238.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2024.scr.exe.376c328.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.Logon32.exe.3bf64d8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.Logon32.exe.3c322f8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, KLhJmaON.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, KLhJmaON.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, 9HIFdl.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, 9HIFdl.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, VPlKcbLToBHBxlelgM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, VPlKcbLToBHBxlelgM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, VPlKcbLToBHBxlelgM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: _0020.SetAccessControl
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: _0020.AddAccessRule
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: _0020.SetAccessControl
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: _0020.AddAccessRule
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: _0020.SetAccessControl
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, tjMRaMqUNgRe9WpmIG.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@13/9@3/3
Source: C:\Users\user\Desktop\2024.scr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2024.scr.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Mutant created: \Sessions\1\BaseNamedObjects\QutOHovbqbDvoDHueoc
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nihp0rjw.rop.ps1 Jump to behavior
Source: 2024.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2024.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2024.scr.exe, 00000000.00000000.2131957372.0000000000292000.00000002.00000001.01000000.00000003.sdmp, Logon32.exe.4.dr Binary or memory string: INSERT INTO tab_grade (gId, gName) VALUES(NULL, @gName);SELECT @@IDENTITY# Add successfullyInfo%Add unsuccessfully-Grade name not changed
Source: 2024.scr.exe ReversingLabs: Detection: 60%
Source: 2024.scr.exe Virustotal: Detection: 46%
Source: C:\Users\user\Desktop\2024.scr.exe File read: C:\Users\user\Desktop\2024.scr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2024.scr.exe "C:\Users\user\Desktop\2024.scr.exe"
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2024.scr.exe"
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Users\user\Desktop\2024.scr.exe "C:\Users\user\Desktop\2024.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe"
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe"
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe"
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2024.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Users\user\Desktop\2024.scr.exe "C:\Users\user\Desktop\2024.scr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe"
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\2024.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\2024.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: 2024.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 2024.scr.exe Static file information: File size 1050120 > 1048576
Source: 2024.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 2024.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: NHFC.pdb source: 2024.scr.exe, Logon32.exe.4.dr
Source: Binary string: NHFC.pdbSHA256 source: 2024.scr.exe, Logon32.exe.4.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 2024.scr.exe, frm_login.cs .Net Code: InitializeComponent
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, tjMRaMqUNgRe9WpmIG.cs .Net Code: TSIwOjnVyb System.Reflection.Assembly.Load(byte[])
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, tjMRaMqUNgRe9WpmIG.cs .Net Code: TSIwOjnVyb System.Reflection.Assembly.Load(byte[])
Source: 0.2.2024.scr.exe.7330000.4.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.2024.scr.exe.7330000.4.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, tjMRaMqUNgRe9WpmIG.cs .Net Code: TSIwOjnVyb System.Reflection.Assembly.Load(byte[])
Source: Logon32.exe.4.dr, frm_login.cs .Net Code: InitializeComponent
Binary contains a suspicious time stamp
Source: 2024.scr.exe Static PE information: 0xCB13C7CD [Sat Dec 18 16:39:41 2077 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_00D6F110 pushad ; iretd 0_2_00D6F111
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C3057B push es; ret 0_2_05C30588
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C313AF push cs; ret 0_2_05C313BE
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C30C01 push 8BBCEB50h; ret 0_2_05C30C07
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 0_2_05C34C38 push esp; retf 0_2_05C34C39
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CA0C45 push ebx; retf 4_2_02CA0C52
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CA0C53 push ebx; retf 4_2_02CA0C52
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CA0C77 push edi; retf 4_2_02CA0C7A
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 7_2_016BF110 pushad ; iretd 7_2_016BF111
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B10CCC push edi; retf 8_2_01B10C7A
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 8_2_01B10C45 push ebx; retf 8_2_01B10C52
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 12_2_029CF110 pushad ; iretd 12_2_029CF111
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138B1D8 push esp; ret 13_2_0138B1EB
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138B1D8 push edi; ret 13_2_0138B232
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138B3FA push edx; ret 13_2_0138B3FB
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138B40A push edx; ret 13_2_0138B40B
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_0138B402 push edx; ret 13_2_0138B403
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_01380C45 push ebx; retf 13_2_01380C52
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Code function: 13_2_01380CCB push edi; retf 13_2_01380C7A
Source: 2024.scr.exe Static PE information: section name: .text entropy: 7.15649036202405
Source: Logon32.exe.4.dr Static PE information: section name: .text entropy: 7.15649036202405
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, PdaNmxR14wxNoQHg0Q.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w026oIgcpW', 'ksH6SPxFuv', 'mNm6zkjf6l', 'HRcBk8f91s', 'jGXBqTdHNk', 'yjdB6711VH', 'gd4BB49Q0G', 'CULebSIbTHoqDw1ZeqT'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, tjMRaMqUNgRe9WpmIG.cs High entropy of concatenated method names: 'dYqBXGNQTa', 'NtAB2MW02X', 'PfWBjhXpOF', 'qbhBd4CYBt', 'u7PBJZY8RJ', 'F4vBZ4knkB', 'Jb5BNqn3CA', 'AofBcIE1cA', 'hh7BQZfaJ6', 'Na2BhiBYC7'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, HWJqbBQJaepfeBU9j9.cs High entropy of concatenated method names: 'MfSW2FOwXi', 'afDWj9MCUe', 'IC4Wdq0r2h', 'Ba6WJE4o4Y', 'ANNWZnte4C', 'rwAWNnHJM6', 'Jm4WckklQO', 'XaaWQDgoG8', 'pWlWhfBDbs', 'mibWx90Bus'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, KQvgLRfV2U5IDS3PNw.cs High entropy of concatenated method names: 'WnYqN9kdc5', 'Hd7qcRchTi', 'k8Mqh4B8ys', 'P7CqxPiksB', 'ciAq84VHYF', 'vxEqsIrcBR', 'cuG5lTLWJh2IofWJdj', 'fpuiaaYLSH3ChZ99T6', 'Y8kqqhIZjJ', 'FTDqBVVrdQ'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, YaMI77kNuj3RqKpdaF.cs High entropy of concatenated method names: 'FtpLlgU1ni', 'B6fLSoJ3Ex', 'WSkWkCIHiU', 'XPcWqWkmh1', 'tX5LgDGnVk', 'nKSLfRcpPt', 'k96LMTi1DY', 'PANLiBvJpZ', 'GDgLn20DJq', 'i7XLudW9jj'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, lSVdsY1w08s4XML2xH.cs High entropy of concatenated method names: 'Mq8Lh2KVGl', 'HdnLxrnGPy', 'ToString', 'wBfL2aRiUu', 'N6rLjcumjE', 'qsKLdGAYjI', 'Lu6LJM6gsD', 'B2FLZVH4Gp', 'lY5LNUdnl3', 'uhFLcVWcqJ'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, TFj1yMvJcKjcjV6whV.cs High entropy of concatenated method names: 'p61JK4yrx4', 'JcAJr2KBh3', 'JFedvCYiQL', 'QtZd0NoPYL', 'MiKdyUXecY', 'bZWdAQTl2t', 'qSwdm40BYA', 'BZ4d1R41XJ', 'sQEdHQfXJW', 'cj7dPSkp2o'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, LGXVgugFgrrHxRD9XL.cs High entropy of concatenated method names: 'KggZXL29iX', 'FETZjJLpWN', 'IWuZJ0WQwU', 'XkwZNlyh5e', 'xjsZcB5S1R', 'HDcJGTjVvZ', 'CvdJIOmCYu', 'XttJ3CNHIa', 'hZiJlsBBbd', 'iLYJo5MQvu'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, rp7Oudo7Ep3QqZOaYu.cs High entropy of concatenated method names: 'wxC8PHSh1O', 'C7A8fQoAVs', 'HwF8iqGVUB', 'UAy8n1pfsy', 'tNp8UY2FLB', 'AgZ8vMjn1p', 'AmS80pcBvq', 'vXu8yPIfPa', 'vS88A8SQO6', 'HLZ8mO5Zqo'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, VPlKcbLToBHBxlelgM.cs High entropy of concatenated method names: 'WdhjilP1px', 'd8Ujnvm8kk', 'veIjubDRcj', 'al7jRgKoxU', 'rRFjGQyf7s', 'rNKjI1VavL', 'iYMj38BDBP', 'eXPjlCYvdQ', 'yIYjoobB8r', 'ynojSfAHUx'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, wbQuSfBCsYHY5UauQk.cs High entropy of concatenated method names: 'wnZN7PXxtA', 'oq7NCGuH7A', 'D52NOQpicC', 'NSENtPopwj', 'U2kNKRYHfn', 'bNZNaPxhDs', 'ttfNrd3LTu', 'AG0NFh4Nqk', 'twhNTYTe6g', 'LYTNEi9QCm'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, aIk48C44WUZwHG8nmpm.cs High entropy of concatenated method names: 'ToString', 'MwNpBqREAl', 'EafpwQKn9e', 'fQwpXPICBU', 'o63p2vup5d', 'K7MpjsiuRd', 'uiZpdVn4Ii', 'iwSpJ2rM7Z', 'Y23TkleYbOPxRdNxu2x', 'cZVNyBe504U6ZZOA2I6'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, pEZU9mp6OKuJ04plKi.cs High entropy of concatenated method names: 'c4IO5vHrU', 'qv3tnYTge', 'IgWaaPfbu', 'TFtrLSJ8G', 'GLmTt29YE', 'Vn7EquCaB', 'AgGKN5r6bdgpkq5Ti9', 'E83SxRBi5hkW1F0xlK', 'xxYWuS6qW', 'x7ApAhcOg'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, I9kZpxcJmYVHYi37Ig.cs High entropy of concatenated method names: 'Dispose', 'SJDqoZXiYr', 'OTj6UJSuqZ', 'gqPbbBSvEY', 'qEeqS5kyGE', 'HCRqzKHSaN', 'ProcessDialogKey', 'MVh6kjim9m', 'jCX6qY0vXr', 'zri663QGJk'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, Cc8SKF4aH6lbinOxlUK.cs High entropy of concatenated method names: 'SKpY78Glxe', 'keUYCSjeAv', 'Ck0YOMiSgY', 'V0jYtNq8bh', 'ubQYK7WA3i', 'PawYakXeGn', 'sqBYrFSk44', 'kWMYFSNTLx', 'DhOYTuSQ4n', 'jQKYErugVT'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, RDrDFL5tLvfj24Cqd1.cs High entropy of concatenated method names: 'ToString', 'VIksgMS5jt', 'yWrsUEMKok', 'Ov4svftglf', 'V08s0CgwF4', 'tchsy2bB0b', 'rymsAVJoKf', 'zJysm2HpVZ', 'g75s1wNT7T', 'QkssHppS4g'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, pblqtHzhNUeEgJYgWp.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DwkYD4XXoO', 'Fu5Y8xYwiv', 'b8cYsq1i7Z', 'nyjYLBZNkF', 'hPgYWyMNmp', 'vq7YY5bWus', 'k8jYpiWHcu'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, iaRI8s8T3dZ2SMq7cO.cs High entropy of concatenated method names: 'U8HdtVmkht', 'afvdaJuQKj', 'RjcdFFULaG', 'IjMdTiABpg', 'xvod84ZF5E', 'WTUdsAbu7d', 'dJGdLW52sq', 'SSxdWaLIjV', 'g1OdYhRlPA', 'KKLdpYuXQp'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, G8JwKlSNVrZNuTXF2J.cs High entropy of concatenated method names: 'SxhN2qPM8D', 'vVWNdO3KpB', 'tFKNZkR20Q', 'Mx1ZSsqTwf', 'puRZzIZg3P', 'u00Nk0qXDG', 'IhvNqIst7w', 'YAiN6aOBPb', 'crJNBdMQvy', 'kowNwlE3l4'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, uMdep3CHbwPS2ta1OS.cs High entropy of concatenated method names: 'NbbDFgl8AA', 'vkvDT4Bn4p', 'LOjDVwVNPC', 'tZdDUOJxgn', 'zGAD0XQNwA', 'd5fDyonsoR', 'kSMDmcdWTD', 'rmvD1tP0jP', 'qIODPe2UBb', 'kYoDghuyr1'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, j4KJillMeRt8tqUSTa.cs High entropy of concatenated method names: 'X0hWVhq0su', 'S25WUBPsLK', 'vLIWvPR2Y1', 'cpEW0U8AWA', 'mt7WiFblfO', 'prOWy2ojOe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, tK2mqU4UvXC7JjjU3FG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'e5VpiQal0U', 'Nlrpna65m6', 'Yxopufui9k', 'VsKpRr3SVm', 'l5IpGLnpbN', 'SeQpI7f3OF', 'BbOp3K2gpX'
Source: 0.2.2024.scr.exe.43c9ab8.1.raw.unpack, y9xoMvV8BnB1AU7EUF.cs High entropy of concatenated method names: 'ViaYqpkdd7', 'qCoYB1c2oY', 'L4yYwZhkKy', 'M04Y2UlZJm', 'zZcYjs5MkJ', 'krxYJ4v8yu', 'k0gYZiogD1', 'dUyW3hJCgt', 'oEVWliwwEZ', 'WAwWoqfaEE'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, PdaNmxR14wxNoQHg0Q.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w026oIgcpW', 'ksH6SPxFuv', 'mNm6zkjf6l', 'HRcBk8f91s', 'jGXBqTdHNk', 'yjdB6711VH', 'gd4BB49Q0G', 'CULebSIbTHoqDw1ZeqT'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, tjMRaMqUNgRe9WpmIG.cs High entropy of concatenated method names: 'dYqBXGNQTa', 'NtAB2MW02X', 'PfWBjhXpOF', 'qbhBd4CYBt', 'u7PBJZY8RJ', 'F4vBZ4knkB', 'Jb5BNqn3CA', 'AofBcIE1cA', 'hh7BQZfaJ6', 'Na2BhiBYC7'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, HWJqbBQJaepfeBU9j9.cs High entropy of concatenated method names: 'MfSW2FOwXi', 'afDWj9MCUe', 'IC4Wdq0r2h', 'Ba6WJE4o4Y', 'ANNWZnte4C', 'rwAWNnHJM6', 'Jm4WckklQO', 'XaaWQDgoG8', 'pWlWhfBDbs', 'mibWx90Bus'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, KQvgLRfV2U5IDS3PNw.cs High entropy of concatenated method names: 'WnYqN9kdc5', 'Hd7qcRchTi', 'k8Mqh4B8ys', 'P7CqxPiksB', 'ciAq84VHYF', 'vxEqsIrcBR', 'cuG5lTLWJh2IofWJdj', 'fpuiaaYLSH3ChZ99T6', 'Y8kqqhIZjJ', 'FTDqBVVrdQ'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, YaMI77kNuj3RqKpdaF.cs High entropy of concatenated method names: 'FtpLlgU1ni', 'B6fLSoJ3Ex', 'WSkWkCIHiU', 'XPcWqWkmh1', 'tX5LgDGnVk', 'nKSLfRcpPt', 'k96LMTi1DY', 'PANLiBvJpZ', 'GDgLn20DJq', 'i7XLudW9jj'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, lSVdsY1w08s4XML2xH.cs High entropy of concatenated method names: 'Mq8Lh2KVGl', 'HdnLxrnGPy', 'ToString', 'wBfL2aRiUu', 'N6rLjcumjE', 'qsKLdGAYjI', 'Lu6LJM6gsD', 'B2FLZVH4Gp', 'lY5LNUdnl3', 'uhFLcVWcqJ'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, TFj1yMvJcKjcjV6whV.cs High entropy of concatenated method names: 'p61JK4yrx4', 'JcAJr2KBh3', 'JFedvCYiQL', 'QtZd0NoPYL', 'MiKdyUXecY', 'bZWdAQTl2t', 'qSwdm40BYA', 'BZ4d1R41XJ', 'sQEdHQfXJW', 'cj7dPSkp2o'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, LGXVgugFgrrHxRD9XL.cs High entropy of concatenated method names: 'KggZXL29iX', 'FETZjJLpWN', 'IWuZJ0WQwU', 'XkwZNlyh5e', 'xjsZcB5S1R', 'HDcJGTjVvZ', 'CvdJIOmCYu', 'XttJ3CNHIa', 'hZiJlsBBbd', 'iLYJo5MQvu'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, rp7Oudo7Ep3QqZOaYu.cs High entropy of concatenated method names: 'wxC8PHSh1O', 'C7A8fQoAVs', 'HwF8iqGVUB', 'UAy8n1pfsy', 'tNp8UY2FLB', 'AgZ8vMjn1p', 'AmS80pcBvq', 'vXu8yPIfPa', 'vS88A8SQO6', 'HLZ8mO5Zqo'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, VPlKcbLToBHBxlelgM.cs High entropy of concatenated method names: 'WdhjilP1px', 'd8Ujnvm8kk', 'veIjubDRcj', 'al7jRgKoxU', 'rRFjGQyf7s', 'rNKjI1VavL', 'iYMj38BDBP', 'eXPjlCYvdQ', 'yIYjoobB8r', 'ynojSfAHUx'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, wbQuSfBCsYHY5UauQk.cs High entropy of concatenated method names: 'wnZN7PXxtA', 'oq7NCGuH7A', 'D52NOQpicC', 'NSENtPopwj', 'U2kNKRYHfn', 'bNZNaPxhDs', 'ttfNrd3LTu', 'AG0NFh4Nqk', 'twhNTYTe6g', 'LYTNEi9QCm'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, aIk48C44WUZwHG8nmpm.cs High entropy of concatenated method names: 'ToString', 'MwNpBqREAl', 'EafpwQKn9e', 'fQwpXPICBU', 'o63p2vup5d', 'K7MpjsiuRd', 'uiZpdVn4Ii', 'iwSpJ2rM7Z', 'Y23TkleYbOPxRdNxu2x', 'cZVNyBe504U6ZZOA2I6'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, pEZU9mp6OKuJ04plKi.cs High entropy of concatenated method names: 'c4IO5vHrU', 'qv3tnYTge', 'IgWaaPfbu', 'TFtrLSJ8G', 'GLmTt29YE', 'Vn7EquCaB', 'AgGKN5r6bdgpkq5Ti9', 'E83SxRBi5hkW1F0xlK', 'xxYWuS6qW', 'x7ApAhcOg'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, I9kZpxcJmYVHYi37Ig.cs High entropy of concatenated method names: 'Dispose', 'SJDqoZXiYr', 'OTj6UJSuqZ', 'gqPbbBSvEY', 'qEeqS5kyGE', 'HCRqzKHSaN', 'ProcessDialogKey', 'MVh6kjim9m', 'jCX6qY0vXr', 'zri663QGJk'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, Cc8SKF4aH6lbinOxlUK.cs High entropy of concatenated method names: 'SKpY78Glxe', 'keUYCSjeAv', 'Ck0YOMiSgY', 'V0jYtNq8bh', 'ubQYK7WA3i', 'PawYakXeGn', 'sqBYrFSk44', 'kWMYFSNTLx', 'DhOYTuSQ4n', 'jQKYErugVT'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, RDrDFL5tLvfj24Cqd1.cs High entropy of concatenated method names: 'ToString', 'VIksgMS5jt', 'yWrsUEMKok', 'Ov4svftglf', 'V08s0CgwF4', 'tchsy2bB0b', 'rymsAVJoKf', 'zJysm2HpVZ', 'g75s1wNT7T', 'QkssHppS4g'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, pblqtHzhNUeEgJYgWp.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DwkYD4XXoO', 'Fu5Y8xYwiv', 'b8cYsq1i7Z', 'nyjYLBZNkF', 'hPgYWyMNmp', 'vq7YY5bWus', 'k8jYpiWHcu'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, iaRI8s8T3dZ2SMq7cO.cs High entropy of concatenated method names: 'U8HdtVmkht', 'afvdaJuQKj', 'RjcdFFULaG', 'IjMdTiABpg', 'xvod84ZF5E', 'WTUdsAbu7d', 'dJGdLW52sq', 'SSxdWaLIjV', 'g1OdYhRlPA', 'KKLdpYuXQp'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, G8JwKlSNVrZNuTXF2J.cs High entropy of concatenated method names: 'SxhN2qPM8D', 'vVWNdO3KpB', 'tFKNZkR20Q', 'Mx1ZSsqTwf', 'puRZzIZg3P', 'u00Nk0qXDG', 'IhvNqIst7w', 'YAiN6aOBPb', 'crJNBdMQvy', 'kowNwlE3l4'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, uMdep3CHbwPS2ta1OS.cs High entropy of concatenated method names: 'NbbDFgl8AA', 'vkvDT4Bn4p', 'LOjDVwVNPC', 'tZdDUOJxgn', 'zGAD0XQNwA', 'd5fDyonsoR', 'kSMDmcdWTD', 'rmvD1tP0jP', 'qIODPe2UBb', 'kYoDghuyr1'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, j4KJillMeRt8tqUSTa.cs High entropy of concatenated method names: 'X0hWVhq0su', 'S25WUBPsLK', 'vLIWvPR2Y1', 'cpEW0U8AWA', 'mt7WiFblfO', 'prOWy2ojOe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, tK2mqU4UvXC7JjjU3FG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'e5VpiQal0U', 'Nlrpna65m6', 'Yxopufui9k', 'VsKpRr3SVm', 'l5IpGLnpbN', 'SeQpI7f3OF', 'BbOp3K2gpX'
Source: 0.2.2024.scr.exe.d1c0000.7.raw.unpack, y9xoMvV8BnB1AU7EUF.cs High entropy of concatenated method names: 'ViaYqpkdd7', 'qCoYB1c2oY', 'L4yYwZhkKy', 'M04Y2UlZJm', 'zZcYjs5MkJ', 'krxYJ4v8yu', 'k0gYZiogD1', 'dUyW3hJCgt', 'oEVWliwwEZ', 'WAwWoqfaEE'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, PdaNmxR14wxNoQHg0Q.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'w026oIgcpW', 'ksH6SPxFuv', 'mNm6zkjf6l', 'HRcBk8f91s', 'jGXBqTdHNk', 'yjdB6711VH', 'gd4BB49Q0G', 'CULebSIbTHoqDw1ZeqT'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, tjMRaMqUNgRe9WpmIG.cs High entropy of concatenated method names: 'dYqBXGNQTa', 'NtAB2MW02X', 'PfWBjhXpOF', 'qbhBd4CYBt', 'u7PBJZY8RJ', 'F4vBZ4knkB', 'Jb5BNqn3CA', 'AofBcIE1cA', 'hh7BQZfaJ6', 'Na2BhiBYC7'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, HWJqbBQJaepfeBU9j9.cs High entropy of concatenated method names: 'MfSW2FOwXi', 'afDWj9MCUe', 'IC4Wdq0r2h', 'Ba6WJE4o4Y', 'ANNWZnte4C', 'rwAWNnHJM6', 'Jm4WckklQO', 'XaaWQDgoG8', 'pWlWhfBDbs', 'mibWx90Bus'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, KQvgLRfV2U5IDS3PNw.cs High entropy of concatenated method names: 'WnYqN9kdc5', 'Hd7qcRchTi', 'k8Mqh4B8ys', 'P7CqxPiksB', 'ciAq84VHYF', 'vxEqsIrcBR', 'cuG5lTLWJh2IofWJdj', 'fpuiaaYLSH3ChZ99T6', 'Y8kqqhIZjJ', 'FTDqBVVrdQ'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, YaMI77kNuj3RqKpdaF.cs High entropy of concatenated method names: 'FtpLlgU1ni', 'B6fLSoJ3Ex', 'WSkWkCIHiU', 'XPcWqWkmh1', 'tX5LgDGnVk', 'nKSLfRcpPt', 'k96LMTi1DY', 'PANLiBvJpZ', 'GDgLn20DJq', 'i7XLudW9jj'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, lSVdsY1w08s4XML2xH.cs High entropy of concatenated method names: 'Mq8Lh2KVGl', 'HdnLxrnGPy', 'ToString', 'wBfL2aRiUu', 'N6rLjcumjE', 'qsKLdGAYjI', 'Lu6LJM6gsD', 'B2FLZVH4Gp', 'lY5LNUdnl3', 'uhFLcVWcqJ'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, TFj1yMvJcKjcjV6whV.cs High entropy of concatenated method names: 'p61JK4yrx4', 'JcAJr2KBh3', 'JFedvCYiQL', 'QtZd0NoPYL', 'MiKdyUXecY', 'bZWdAQTl2t', 'qSwdm40BYA', 'BZ4d1R41XJ', 'sQEdHQfXJW', 'cj7dPSkp2o'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, LGXVgugFgrrHxRD9XL.cs High entropy of concatenated method names: 'KggZXL29iX', 'FETZjJLpWN', 'IWuZJ0WQwU', 'XkwZNlyh5e', 'xjsZcB5S1R', 'HDcJGTjVvZ', 'CvdJIOmCYu', 'XttJ3CNHIa', 'hZiJlsBBbd', 'iLYJo5MQvu'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, rp7Oudo7Ep3QqZOaYu.cs High entropy of concatenated method names: 'wxC8PHSh1O', 'C7A8fQoAVs', 'HwF8iqGVUB', 'UAy8n1pfsy', 'tNp8UY2FLB', 'AgZ8vMjn1p', 'AmS80pcBvq', 'vXu8yPIfPa', 'vS88A8SQO6', 'HLZ8mO5Zqo'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, VPlKcbLToBHBxlelgM.cs High entropy of concatenated method names: 'WdhjilP1px', 'd8Ujnvm8kk', 'veIjubDRcj', 'al7jRgKoxU', 'rRFjGQyf7s', 'rNKjI1VavL', 'iYMj38BDBP', 'eXPjlCYvdQ', 'yIYjoobB8r', 'ynojSfAHUx'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, wbQuSfBCsYHY5UauQk.cs High entropy of concatenated method names: 'wnZN7PXxtA', 'oq7NCGuH7A', 'D52NOQpicC', 'NSENtPopwj', 'U2kNKRYHfn', 'bNZNaPxhDs', 'ttfNrd3LTu', 'AG0NFh4Nqk', 'twhNTYTe6g', 'LYTNEi9QCm'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, aIk48C44WUZwHG8nmpm.cs High entropy of concatenated method names: 'ToString', 'MwNpBqREAl', 'EafpwQKn9e', 'fQwpXPICBU', 'o63p2vup5d', 'K7MpjsiuRd', 'uiZpdVn4Ii', 'iwSpJ2rM7Z', 'Y23TkleYbOPxRdNxu2x', 'cZVNyBe504U6ZZOA2I6'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, pEZU9mp6OKuJ04plKi.cs High entropy of concatenated method names: 'c4IO5vHrU', 'qv3tnYTge', 'IgWaaPfbu', 'TFtrLSJ8G', 'GLmTt29YE', 'Vn7EquCaB', 'AgGKN5r6bdgpkq5Ti9', 'E83SxRBi5hkW1F0xlK', 'xxYWuS6qW', 'x7ApAhcOg'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, I9kZpxcJmYVHYi37Ig.cs High entropy of concatenated method names: 'Dispose', 'SJDqoZXiYr', 'OTj6UJSuqZ', 'gqPbbBSvEY', 'qEeqS5kyGE', 'HCRqzKHSaN', 'ProcessDialogKey', 'MVh6kjim9m', 'jCX6qY0vXr', 'zri663QGJk'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, Cc8SKF4aH6lbinOxlUK.cs High entropy of concatenated method names: 'SKpY78Glxe', 'keUYCSjeAv', 'Ck0YOMiSgY', 'V0jYtNq8bh', 'ubQYK7WA3i', 'PawYakXeGn', 'sqBYrFSk44', 'kWMYFSNTLx', 'DhOYTuSQ4n', 'jQKYErugVT'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, RDrDFL5tLvfj24Cqd1.cs High entropy of concatenated method names: 'ToString', 'VIksgMS5jt', 'yWrsUEMKok', 'Ov4svftglf', 'V08s0CgwF4', 'tchsy2bB0b', 'rymsAVJoKf', 'zJysm2HpVZ', 'g75s1wNT7T', 'QkssHppS4g'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, pblqtHzhNUeEgJYgWp.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DwkYD4XXoO', 'Fu5Y8xYwiv', 'b8cYsq1i7Z', 'nyjYLBZNkF', 'hPgYWyMNmp', 'vq7YY5bWus', 'k8jYpiWHcu'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, iaRI8s8T3dZ2SMq7cO.cs High entropy of concatenated method names: 'U8HdtVmkht', 'afvdaJuQKj', 'RjcdFFULaG', 'IjMdTiABpg', 'xvod84ZF5E', 'WTUdsAbu7d', 'dJGdLW52sq', 'SSxdWaLIjV', 'g1OdYhRlPA', 'KKLdpYuXQp'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, G8JwKlSNVrZNuTXF2J.cs High entropy of concatenated method names: 'SxhN2qPM8D', 'vVWNdO3KpB', 'tFKNZkR20Q', 'Mx1ZSsqTwf', 'puRZzIZg3P', 'u00Nk0qXDG', 'IhvNqIst7w', 'YAiN6aOBPb', 'crJNBdMQvy', 'kowNwlE3l4'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, uMdep3CHbwPS2ta1OS.cs High entropy of concatenated method names: 'NbbDFgl8AA', 'vkvDT4Bn4p', 'LOjDVwVNPC', 'tZdDUOJxgn', 'zGAD0XQNwA', 'd5fDyonsoR', 'kSMDmcdWTD', 'rmvD1tP0jP', 'qIODPe2UBb', 'kYoDghuyr1'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, j4KJillMeRt8tqUSTa.cs High entropy of concatenated method names: 'X0hWVhq0su', 'S25WUBPsLK', 'vLIWvPR2Y1', 'cpEW0U8AWA', 'mt7WiFblfO', 'prOWy2ojOe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, tK2mqU4UvXC7JjjU3FG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'e5VpiQal0U', 'Nlrpna65m6', 'Yxopufui9k', 'VsKpRr3SVm', 'l5IpGLnpbN', 'SeQpI7f3OF', 'BbOp3K2gpX'
Source: 0.2.2024.scr.exe.434c098.0.raw.unpack, y9xoMvV8BnB1AU7EUF.cs High entropy of concatenated method names: 'ViaYqpkdd7', 'qCoYB1c2oY', 'L4yYwZhkKy', 'M04Y2UlZJm', 'zZcYjs5MkJ', 'krxYJ4v8yu', 'k0gYZiogD1', 'dUyW3hJCgt', 'oEVWliwwEZ', 'WAwWoqfaEE'
Drops PE files
Source: C:\Users\user\Desktop\2024.scr.exe File created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Jump to dropped file
Source: C:\Users\user\Desktop\2024.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Logon32 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Logon32 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\2024.scr.exe File opened: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\2024.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 2024.scr.exe PID: 1616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 5976, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 2024.scr.exe, 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, 2024.scr.exe, 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000008.00000002.4619569539.0000000003635000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4618767842.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4606513178.0000000000436000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 26D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 46D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 7A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 7490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 8A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 9A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 9E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: AE00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: BE00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: D240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: E240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: F240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: F950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 2C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 2E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: 4E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 15D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 15D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 7BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 8BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 8D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 9D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: A0A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: B0A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: C1A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: D5D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: E5D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: F5D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: FC50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 1900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 35D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 1A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 2980000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 2B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 4B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 7D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 8D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 8EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 9EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: A330000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: B330000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 7D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 8EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: A330000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 1380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 3090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory allocated: 5090000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599738 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599593 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599359 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599074 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598962 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598856 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598745 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598630 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598470 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 594163 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 594046 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593827 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593718 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593609 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599200 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599075 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598968 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598811 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598682 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594556 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594187 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594073 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 593843 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 593734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599872
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598951
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594766
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594218
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594109
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\2024.scr.exe Window / User API: threadDelayed 858 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Window / User API: threadDelayed 468 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5985 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2585 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Window / User API: threadDelayed 2591 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Window / User API: threadDelayed 7123 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window / User API: threadDelayed 1211 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window / User API: threadDelayed 5734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window / User API: threadDelayed 4052 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window / User API: threadDelayed 391
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window / User API: threadDelayed 593
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window / User API: threadDelayed 2461
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Window / User API: threadDelayed 7351
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\2024.scr.exe TID: 6932 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 6916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4372 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 320 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5828 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -599738s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -599593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -599359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -599187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -599074s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -598962s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -598856s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -598745s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -598630s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -598470s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99966s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98413s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98295s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98178s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97827s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97249s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97138s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -97031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96807s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96702s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96149s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -96026s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -95922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -594163s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -594046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -593937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -593827s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -593718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe TID: 4064 Thread sleep time: -593609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 4136 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2732 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599200s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -599075s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -598968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -598811s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -598682s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99197s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -99078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -98968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -98860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -98735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -98610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -98485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -98258s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -98010s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97873s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -97063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96719s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -96110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -594556s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -594422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -594297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -594187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -594073s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -593953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -593843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2852 Thread sleep time: -593734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2936 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 6072 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2488 Thread sleep count: 2461 > 30
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599872s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 2488 Thread sleep count: 7351 > 30
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599531s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -598951s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99877s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99752s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99627s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99502s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99377s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99252s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99127s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -99002s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98877s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98752s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98627s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98502s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98377s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98252s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98127s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -98002s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97877s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97752s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97627s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97502s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97377s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97252s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97127s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -97002s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -96877s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -96752s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -96627s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -96502s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -96377s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594766s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594437s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594328s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594218s >= -30000s
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe TID: 5492 Thread sleep time: -594109s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599738 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599593 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599359 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 599074 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598962 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598856 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598745 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598630 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 598470 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99966 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99859 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99749 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99640 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98765 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98649 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98413 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98295 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98178 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 98047 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97937 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97827 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97718 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97249 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97138 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 97031 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96921 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96807 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96702 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96593 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96374 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96149 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 96026 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 95922 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 594163 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 594046 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593937 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593827 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593718 Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Thread delayed: delay time: 593609 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599200 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599075 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598968 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598811 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598682 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99672 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99197 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99078 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98968 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98860 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98735 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98610 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98485 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98258 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97873 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97766 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97313 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97063 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96953 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96719 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96610 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96485 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96360 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96235 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594556 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594187 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594073 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 593843 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 593734 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599872
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 598951
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99877
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99752
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99627
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99502
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99377
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99252
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99127
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 99002
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98877
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98752
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98627
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98502
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98377
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98252
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98127
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 98002
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97877
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97752
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97627
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97502
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97377
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97252
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97127
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 97002
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96877
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96752
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96627
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96502
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 96377
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594766
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594218
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Thread delayed: delay time: 594109
Source: Logon32.exe, 0000000D.00000002.4618767842.00000000030EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: Logon32.exe, 0000000D.00000002.4606513178.0000000000436000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: 2024.scr.exe, 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4606513178.0000000000430000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: hgfsZrw6
Source: Logon32.exe, 0000000D.00000002.4606513178.0000000000436000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: 2024.scr.exe, 00000004.00000002.4616583342.0000000001125000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: Logon32.exe, 0000000D.00000002.4606513178.0000000000430000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: typ10b3Oc803a9f97cf-06b5-46de-807e-132d396f6890Nchp5wQ00oTvKR0qZab0r6L0rfhk5f0ZPM3Jr0iIjd3y805s02Jv0Nlv0DvPLtry0$$method0x6000124-1$$method0x6000096-1$$method0x6000087-1$$method0x6000109-1$$method0x6000129-1$$method0x6000149-1$$method0x600012a-1$$method0x600019b-1$$method0x600025e-1$$method0x600010f-1$$method0x600011f-1oJxXq21k2WV311LrvM871HMACSHA1VT_UI1VT_I1g3vBoHJ1VL1BtS1IEnumerable`1ICollection`1IEnumerator`1IList`1xFPPpUzb1CS$<>9__CachedAnonymousMethodDelegate1kCNIuk1CFK29C0gXl1get_Item17LhL886wco1eJeQLmAEv1$$method0x6000109-2$$method0x600025e-2$$method0x600011f-2HMACSHA512Advapi32kernel32Microsoft.Win32user32ToUInt32ReadInt32ToInt32mM52k10rLFMsCF2aMF2GlSF2VT_UI2VT_I23xmaWO2kEP2KeyValuePair`2Dictionary`2wa2jR30VH2ik2get_Item2epq20M72M6803LiwtaMzSs03y5Rs2vl613663tW5rJ31L32nM3piJ8l60glR3XU3Tuple`3u6b3wl3get_Item3U9Kp3uRyxp3XQlmz6Jr3b5dNVFLxt3adpvK17r14v0jY44ToUInt64ReadInt64ToInt64q8ypzOf74lGcE1I2rC4VT_UI4VT_I4mEpeNJ45FsK42GrIn62IML4VT_R4d3sORnCRT4tLXmRU79KU4aVzjSX4rv5UvhJZhb4Epeub4m7e42y4ZWMnb25aRO5UjT35JMnS0UJ55MD5vDXF5sCyu0kXRT5agpaY54mXd5Og5wIgARv7m5vQn5Tnv5vy5QNc05gYy06IS_TEXT_UNICODE_ASCII16IS_TEXT_UNICODE_REVERSE_ASCII16VJxwj16ToUInt16ReadInt16ToInt16R36HMACSHA256lSB86qPv7xI9B6awdbC6JENwzK611YTXjKCCX619b6arg6Mpl6Q8FkNn632RKa2LEGu6AglCs0bu6hgfsZrw6ItJ9xfsmiD7raH7rUlE9KBdK7n1PibAta8O70BR7i2l
Source: Logon32.exe, 00000008.00000002.4610287684.0000000001653000.00000004.00000020.00020000.00000000.sdmp, Logon32.exe, 0000000D.00000002.4617751174.000000000146A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\2024.scr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\2024.scr.exe Code function: 4_2_02CA7F20 CheckRemoteDebuggerPresent, 4_2_02CA7F20
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\2024.scr.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\2024.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2024.scr.exe"
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2024.scr.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\2024.scr.exe Memory written: C:\Users\user\Desktop\2024.scr.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Memory written: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\2024.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Process created: C:\Users\user\Desktop\2024.scr.exe "C:\Users\user\Desktop\2024.scr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Process created: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe "C:\Users\user\AppData\Roaming\Logon32\Logon32.exe"
Source: 2024.scr.exe, 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Users\user\Desktop\2024.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Users\user\Desktop\2024.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\2024.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.2024.scr.exe.376c328.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.408d238.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3bf64d8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3c322f8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.40c9058.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.37a8148.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.40c9058.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.408d238.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.376c328.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3bf64d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3c322f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4619569539.0000000003635000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4618767842.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2024.scr.exe PID: 1616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2024.scr.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 5388, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\2024.scr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\2024.scr.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\2024.scr.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\Logon32\Logon32.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.2024.scr.exe.376c328.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.408d238.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3bf64d8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3c322f8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.40c9058.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.37a8148.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.40c9058.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.408d238.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.376c328.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3bf64d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3c322f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4619569539.0000000003635000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4618767842.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2024.scr.exe PID: 1616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2024.scr.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 5388, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.2024.scr.exe.376c328.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.408d238.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3bf64d8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3c322f8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.40c9058.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.37a8148.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.40c9058.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.37a8148.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Logon32.exe.408d238.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2024.scr.exe.376c328.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3bf64d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Logon32.exe.3c322f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4619569539.0000000003635000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4618767842.00000000030EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4619512401.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2291548460.000000000408D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2151973804.000000000376C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2370533184.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2024.scr.exe PID: 1616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 2024.scr.exe PID: 6600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 2800, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 6840, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Logon32.exe PID: 5388, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466662 Sample: 2024.scr.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 43 smtp.yandex.com 2->43 45 ip-api.com 2->45 47 2 other IPs or domains 2->47 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 11 other signatures 2->69 8 2024.scr.exe 4 2->8         started        12 Logon32.exe 3 2->12         started        14 Logon32.exe 2->14         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\2024.scr.exe.log, ASCII 8->35 dropped 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->71 73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->73 75 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->75 83 2 other signatures 8->83 16 2024.scr.exe 16 5 8->16         started        21 powershell.exe 23 8->21         started        77 Multi AV Scanner detection for dropped file 12->77 79 Machine Learning detection for dropped file 12->79 81 Injects a PE file into a foreign processes 12->81 23 Logon32.exe 14 2 12->23         started        25 Logon32.exe 14->25         started        signatures6 process7 dnsIp8 37 ip-api.com 208.95.112.1, 49716, 49723, 49731 TUT-ASUS United States 16->37 39 smtp.yandex.ru 77.88.21.158, 49718, 49725, 49732 YANDEXRU Russian Federation 16->39 41 api.ipify.org 104.26.13.205, 443, 49714, 49722 CLOUDFLARENETUS United States 16->41 31 C:\Users\user\AppData\Roaming\...\Logon32.exe, PE32 16->31 dropped 33 C:\Users\user\...\Logon32.exe:Zone.Identifier, ASCII 16->33 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->49 51 Tries to steal Mail credentials (via file / registry access) 16->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->53 55 Loading BitLocker PowerShell Module 21->55 27 WmiPrvSE.exe 21->27         started        29 conhost.exe 21->29         started        57 Tries to harvest and steal ftp login credentials 25->57 59 Tries to harvest and steal browser information (history, passwords, etc) 25->59 61 Installs a global keyboard hook 25->61 file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
77.88.21.158
 smtp.yandex.ru Russian Federation
13238 YANDEXRU false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
smtp.yandex.ru 77.88.21.158 true
api.ipify.org 104.26.13.205 true
ip-api.com 208.95.112.1 true
smtp.yandex.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown