Windows Analysis Report
IMG 003.exe

Overview

General Information

Sample name: IMG 003.exe
Analysis ID: 1467967
MD5: 605e5a50ebdec57b636cff6353684913
SHA1: 891d2beea2edaa689cd3cfedc1e30f4ec5dde82e
SHA256: 30225014a390133cd81a5896e070c88313e33c21c6cb40d9fec1600bf9f70f4f
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "wizzy@transmedmaritime.cf", "Password": "!feanyi#@12"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Virustotal: Detection: 40% Perma Link
Multi AV Scanner detection for submitted file
Source: IMG 003.exe ReversingLabs: Detection: 31%
Source: IMG 003.exe Virustotal: Detection: 40% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: IMG 003.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: IMG 003.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: IMG 003.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: frGi.pdb source: IMG 003.exe, aBYKwaZ.exe.0.dr
Source: Binary string: frGi.pdbSHA256 source: IMG 003.exe, aBYKwaZ.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 4x nop then jmp 0192A915h 0_2_0192AD52
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 4x nop then jmp 0DCC9B75h 9_2_0DCC9FDB

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 77.88.21.158:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.88.21.158 77.88.21.158
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 77.88.21.158:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: smtp.yandex.com
Source: aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.gl
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000647F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.0000000006463000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000647F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.0000000006463000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: IMG 003.exe, 00000000.00000002.1706447663.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1769731116.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002D98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.yandex.com
Source: IMG 003.exe, aBYKwaZ.exe.0.dr String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: IMG 003.exe, 00000000.00000002.1713530189.0000000007322000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2914141071.0000000000435000.00000040.00000400.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2914163281.0000000000431000.00000040.00000400.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: IMG 003.exe, 00000008.00000002.2918405791.0000000003001000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: IMG 003.exe, 00000008.00000002.2918405791.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009833000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2945385002.0000000009805000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2932744566.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2918405791.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, IMG 003.exe, 00000008.00000002.2916285074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000647F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.0000000006463000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2932714515.000000000648F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008740000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002CAA000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2918450759.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2946210868.0000000008790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, SKTzxzsJw.cs .Net Code: vTmhWR
Source: 0.2.IMG 003.exe.439e370.4.raw.unpack, SKTzxzsJw.cs .Net Code: vTmhWR
Installs a global keyboard hook
Source: C:\Users\user\Desktop\IMG 003.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\IMG 003.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\aBYKwaZ.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\IMG 003.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.IMG 003.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.IMG 003.exe.95f0000.6.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.IMG 003.exe.331b4d4.1.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Detected potential crypto function
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_0175DDEC 0_2_0175DDEC
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_01926340 0_2_01926340
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_01926348 0_2_01926348
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_01924430 0_2_01924430
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_01924868 0_2_01924868
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_0192DA68 0_2_0192DA68
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_01924CA0 0_2_01924CA0
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_01926CF8 0_2_01926CF8
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_012FE299 8_2_012FE299
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_012FA968 8_2_012FA968
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_012F4A98 8_2_012F4A98
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_012F3E80 8_2_012F3E80
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_012F41C8 8_2_012F41C8
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_012F19A0 8_2_012F19A0
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CBB283 8_2_06CBB283
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB30E0 8_2_06CB30E0
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB76F8 8_2_06CB76F8
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CBE400 8_2_06CBE400
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB0040 8_2_06CB0040
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06DA1908 8_2_06DA1908
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06DA1903 8_2_06DA1903
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB0023 8_2_06CB0023
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB0038 8_2_06CB0038
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0110DDEC 9_2_0110DDEC
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCCCCC8 9_2_0DCCCCC8
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC6CF8 9_2_0DCC6CF8
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC4CA0 9_2_0DCC4CA0
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC4868 9_2_0DCC4868
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC4418 9_2_0DCC4418
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC4430 9_2_0DCC4430
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC6348 9_2_0DCC6348
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC633A 9_2_0DCC633A
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D041C8 13_2_00D041C8
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D0A968 13_2_00D0A968
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D04A98 13_2_00D04A98
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D0AB1C 13_2_00D0AB1C
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D0DCC0 13_2_00D0DCC0
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D03E80 13_2_00D03E80
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B6648 13_2_066B6648
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B5628 13_2_066B5628
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B7DD8 13_2_066B7DD8
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066BB283 13_2_066BB283
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B30E0 13_2_066B30E0
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066BC1E8 13_2_066BC1E8
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B76F8 13_2_066B76F8
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B2408 13_2_066B2408
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066BE400 13_2_066BE400
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B5D3B 13_2_066B5D3B
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B0040 13_2_066B0040
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067AE4E8 13_2_067AE4E8
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A18CA 13_2_067A18CA
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A1908 13_2_067A1908
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A1902 13_2_067A1902
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_066B0022 13_2_066B0022
Sample file is different than original file name gathered from version info
Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedf8fc031-c024-49b7-9cf2-cdfecdf01d4a.exe4 vs IMG 003.exe
Source: IMG 003.exe, 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs IMG 003.exe
Source: IMG 003.exe, 00000000.00000002.1714374757.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs IMG 003.exe
Source: IMG 003.exe, 00000000.00000002.1715011158.00000000095F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs IMG 003.exe
Source: IMG 003.exe, 00000000.00000002.1705002448.00000000013CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs IMG 003.exe
Source: IMG 003.exe, 00000000.00000002.1706447663.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs IMG 003.exe
Source: IMG 003.exe, 00000000.00000002.1706447663.00000000033C4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedf8fc031-c024-49b7-9cf2-cdfecdf01d4a.exe4 vs IMG 003.exe
Source: IMG 003.exe, 00000000.00000000.1640910658.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefrGi.exeD vs IMG 003.exe
Source: IMG 003.exe, 00000008.00000002.2914886404.00000000010F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs IMG 003.exe
Source: IMG 003.exe Binary or memory string: OriginalFilenamefrGi.exeD vs IMG 003.exe
Uses 32bit PE files
Source: IMG 003.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.2.IMG 003.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: IMG 003.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: aBYKwaZ.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, f0Pi2hT7uJL80FX4Rh.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.cs Security API names: _0020.SetAccessControl
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, f0Pi2hT7uJL80FX4Rh.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.cs Security API names: _0020.SetAccessControl
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
Source: C:\Users\user\Desktop\IMG 003.exe File created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_03
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Mutant created: \Sessions\1\BaseNamedObjects\xcoDYPZI
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_03
Source: C:\Users\user\Desktop\IMG 003.exe File created: C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp Jump to behavior
Source: IMG 003.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IMG 003.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: IMG 003.exe ReversingLabs: Detection: 31%
Source: IMG 003.exe Virustotal: Detection: 40%
Source: C:\Users\user\Desktop\IMG 003.exe File read: C:\Users\user\Desktop\IMG 003.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe"
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe C:\Users\user\AppData\Roaming\aBYKwaZ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe "C:\Users\user\AppData\Roaming\aBYKwaZ.exe" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\IMG 003.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\IMG 003.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: IMG 003.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: IMG 003.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: IMG 003.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: frGi.pdb source: IMG 003.exe, aBYKwaZ.exe.0.dr
Source: Binary string: frGi.pdbSHA256 source: IMG 003.exe, aBYKwaZ.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: IMG 003.exe, MainForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: aBYKwaZ.exe.0.dr, MainForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.IMG 003.exe.95f0000.6.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.IMG 003.exe.95f0000.6.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.cs .Net Code: nMkImFVXFc System.Reflection.Assembly.Load(byte[])
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.cs .Net Code: nMkImFVXFc System.Reflection.Assembly.Load(byte[])
Source: 0.2.IMG 003.exe.331b4d4.1.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.IMG 003.exe.331b4d4.1.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: IMG 003.exe Static PE information: 0xE8A28A03 [Sat Sep 5 05:17:55 2093 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_019204EA push edx; ret 0_2_019204EB
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 0_2_01923618 push esp; iretd 0_2_01923621
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_012F0C55 push edi; retf 8_2_012F0C7A
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB8418 push ebx; ret 8_2_06CB841A
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB8833 push esi; ret 8_2_06CB8836
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB8830 push edi; ret 8_2_06CB8832
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06CB496B push ss; ret 8_2_06CB496E
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06DA6C33 push es; ret 8_2_06DA6C40
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06DA7670 push esp; iretd 8_2_06DA7679
Source: C:\Users\user\Desktop\IMG 003.exe Code function: 8_2_06DA7C24 push esp; iretd 8_2_06DA7C2D
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCCE905 push FFFFFF8Bh; iretd 9_2_0DCCE907
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC04EA push edx; ret 9_2_0DCC04EB
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 9_2_0DCC3618 push esp; iretd 9_2_0DCC3621
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D00617 push edx; retf 13_2_00D0061A
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D00838 push edx; retf 13_2_00D00846
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_00D00C55 push edi; retf 13_2_00D00C7A
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A6C32 push es; ret 13_2_067A6C40
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A7670 push esp; iretd 13_2_067A7679
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A11B5 push ebx; retf 13_2_067A11BC
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A7C24 push esp; iretd 13_2_067A7C2D
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Code function: 13_2_067A7944 push ebx; retf 13_2_067A7945
Source: IMG 003.exe Static PE information: section name: .text entropy: 7.544396745144058
Source: aBYKwaZ.exe.0.dr Static PE information: section name: .text entropy: 7.544396745144058
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, XSIdLuSHVVMbXEBnRk.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kyBVc9CvEL', 'HI2VaNvHf0', 'KjlVzJRVyL', 'R6rqHxj2Qj', 'MWPqAxDpBq', 'tW4qVOFeWB', 'lkqqqyf1c0', 'qM68DNsUKJ1vMRVARev'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, h3CmZSIWZKFQJ3whsE.cs High entropy of concatenated method names: 'FX9Au0Pi2h', 'zuJAfL80FX', 'sEQAO7EJHg', 'FmhAYiprwA', 'J8lAnswXxo', 'R7eA1qglrv', 'R2th4bjNqmNcgs0vVF', 'tKrWHhlb7fdnB4aE51', 'uLrAA9UNVY', 'C52AqebgjE'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, UcyrsfJpC81Cwfa1WS.cs High entropy of concatenated method names: 'a3yu9S240r', 'aR5uSAOUNE', 'j6Hu8uQ3ah', 'LJR8asdiEG', 'GU78zuabnO', 'MDvuHhhfdH', 'pH4uAJOGh2', 'Kq0uVcuk3J', 'VX4uqFRw3k', 'iOhuIbtgKn'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, DIC77dcbVGfb0ZKQVI.cs High entropy of concatenated method names: 'XEeU4GwqeU', 'H4eU3jX6YF', 'stQUkePExK', 'ftKUDvK9c6', 'edDU2gm4fN', 'uDGULaNns8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, xxo27e4qglrvAQrsmi.cs High entropy of concatenated method names: 'L9J8j4Avtb', 'oPn8GaLDvR', 'cm58FABb2P', 'MSc8u4ZlX4', 'LHZ8fd85Oe', 'ongFEiNraw', 'QkWFpMd2RO', 'UisFZFcy2y', 'mLlF0DjUm8', 'rLMFcFFVet'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, xrw0tlAqqY7H3tKyYi0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Fmld2etOMC', 'XycdRv6MOt', 'WkBdwx3NcU', 'vSRdhxflqx', 'Q0QdEx2JiP', 'bfqdpS4NHv', 'hIkdZ97os2'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, IDqXVQV0QpWLHAPx2x.cs High entropy of concatenated method names: 'Sdom3opLx', 'ouf7f70Cf', 'd5otjZnwW', 'Bn6y8U6Uf', 'k61PjhHEZ', 'sfx5Wlr5w', 'haS3Q7EkOSsxBWUSvt', 'sgHS71fOMkSjeI4qXo', 'SHNUZPvBu', 'CIGdWsr7C'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vWh1BKpdAe6ULESqsB.cs High entropy of concatenated method names: 'xvti0jENeD', 'KjmiaV5aGF', 'pPnUH4odtW', 'iZMUAns2NU', 'e9RiBHPj60', 'dDmiNo3eOe', 'tsoivmMOAq', 'Gj3i2RFJEM', 'NKNiRfFy1q', 'AvRiwnyhut'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, HTRRXi25oIY0C1PIAY.cs High entropy of concatenated method names: 'Nran6huSIp', 'b09nNl42rA', 'rban2J9ilq', 'DZXnRSAMf8', 'TZqn34ejWV', 'AjbnkELx4d', 'u7DnDRGdt2', 'PpTnLfqCxF', 'wl1nWn8Sjv', 'saGnJHC1eg'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, a4CNNYw48AkfsbTdWY.cs High entropy of concatenated method names: 'ToString', 'aDa1BjGjBN', 'ihT13Tc0PB', 'njW1kxRBwG', 's721DjkPg2', 'Aa21LP9CDh', 'h1f1W6UPkU', 'iri1J9uU5Q', 'qck1ly9L0L', 'zAm1bRqINo'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, OAZtfoGelWqo8FNBrD.cs High entropy of concatenated method names: 'Dispose', 'g2OAcXoIwx', 'uuOV3Pr1KI', 'BDj99cY5g4', 'ebfAahJ2PH', 'zoXAzP58iy', 'ProcessDialogKey', 'B9yVHIC77d', 'MVGVAfb0ZK', 'tVIVVXATW3'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, Y8MTZFAH1SfBEO3hiI0.cs High entropy of concatenated method names: 'dcnxoO9EWK', 'hPQxKnweWN', 'Qdrxmtmq9Q', 'aTJx70Ty2t', 'zhJxgBMHpH', 'SPextngJnL', 'lP0xyQT1G4', 'FICxTupXj9', 'lgexP7xk46', 'gUBx5i26aL'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, aa5nAO3deR1t0CtJ8c.cs High entropy of concatenated method names: 'jr4GBuhFl0y64dYGpIb', 'FNbtCFhAmamDjeJRTum', 'QtY8Unhyuk', 'Mv18xWCptP', 'Eb38dBKc2N', 'ItHelshis1EZVAiCB1l', 'Cu4oNKhdVS61DgiokBK'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, VrwABt5xyMU7KL8lsw.cs High entropy of concatenated method names: 'gUpFgUJ1g5', 'INJFy0ppFi', 'V6MSkCCPlT', 'CXGSDa0aM6', 'JDHSLfRO08', 'Ka6SWfFrsY', 'CeXSJe4Ofj', 'Do2SlkFi9o', 'jwBSbMqXcY', 'D8wS6Rgsey'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, vCSyCTfIWhq3JOLxpn.cs High entropy of concatenated method names: 'vkIqjaC0bO', 'yPAq9e2jcq', 'WQaqGduPh9', 'YDOqSON9P6', 'CUoqFqqOEB', 'KL1q8DAshB', 'CWCqumIODW', 'evHqfihcs0', 'PP2qCVDZSv', 'bsDqOBX3TB'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, nXy3Qav2iClUHmsmKf.cs High entropy of concatenated method names: 'LiBMTnNPAj', 'NkYMPUFmtk', 'lNjM4sHHFI', 'ocxM39f144', 'RCLMDu01hY', 'ViwMLYZLFA', 'GO3MJoOmXS', 'T3iMlkrCdL', 'jJAM6hpHA0', 'IrmMBDQgAf'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, f0Pi2hT7uJL80FX4Rh.cs High entropy of concatenated method names: 'hF9G2Ks7OB', 'aOKGRd2dAR', 'YEBGwgrWB6', 'bLsGhHaOkW', 'rJOGEFI0NO', 'Fu2Gp2rrVs', 'NtAGZPcTPP', 'DGKG0LXSLV', 'IgBGcb301K', 'oktGa6RPqq'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, FRvlGNAATApnSHHZXZS.cs High entropy of concatenated method names: 'ToString', 'pHpdqGovfT', 'mMGdI3Y6kJ', 'sfOdjr0FWo', 'TH4d9NvLvt', 'VP1dGt6PNT', 'WlxdSwxX47', 'rDvdF3yqt0', 'BKwUFgUrhFBkdpbOKSq', 'GDBoq5UQFXgAl82TfOu'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, xATW3Naow795m2pvhD.cs High entropy of concatenated method names: 'glvxAeu2ve', 'N2XxqJZTGr', 'pXsxIS0GOW', 'DeNx9OE07l', 'DcIxGGhs26', 'sTSxFvDvUJ', 'fuHx8qNEsj', 'qB0UZyE8eq', 'tcMU0OC33q', 'ShoUcV9Csx'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, TflZ91bZCGQd4nk0Hs.cs High entropy of concatenated method names: 'VXouovTkyg', 'SFAuKqRvKQ', 'UqTum5RQwg', 'dLOu7Ekf9j', 'r9GugTvVGP', 'DdsutV6ncg', 'HTIuy8f8xh', 'tc0uTXJ3jH', 'oEbuPbum6i', 'Sibu5kSAdL'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, MfhJ2P0HmoXP58iyg9.cs High entropy of concatenated method names: 'fjxU9TmNex', 'fdgUGuQLuo', 'kVHUSdCNER', 'cHVUFscTOs', 'fdMU8HXHKx', 'WKsUujAAKh', 'X87UfNpUoL', 'KW8UCrSJo8', 'ixUUOfIimE', 'qqgUYWccTf'
Source: 0.2.IMG 003.exe.7ab0000.5.raw.unpack, DPuwadPEQ7EJHg5mhi.cs High entropy of concatenated method names: 'c2VS7BEZHX', 'nBNSt78kZh', 'GHXSTbDXx4', 'Qe5SP4AvZJ', 'FViSnsCWiE', 'CRPS1cMjoG', 'agCSiOjhcF', 'DyYSUHWud3', 'PNSSxmYo68', 'PPZSduHlOr'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, XSIdLuSHVVMbXEBnRk.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kyBVc9CvEL', 'HI2VaNvHf0', 'KjlVzJRVyL', 'R6rqHxj2Qj', 'MWPqAxDpBq', 'tW4qVOFeWB', 'lkqqqyf1c0', 'qM68DNsUKJ1vMRVARev'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, h3CmZSIWZKFQJ3whsE.cs High entropy of concatenated method names: 'FX9Au0Pi2h', 'zuJAfL80FX', 'sEQAO7EJHg', 'FmhAYiprwA', 'J8lAnswXxo', 'R7eA1qglrv', 'R2th4bjNqmNcgs0vVF', 'tKrWHhlb7fdnB4aE51', 'uLrAA9UNVY', 'C52AqebgjE'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, UcyrsfJpC81Cwfa1WS.cs High entropy of concatenated method names: 'a3yu9S240r', 'aR5uSAOUNE', 'j6Hu8uQ3ah', 'LJR8asdiEG', 'GU78zuabnO', 'MDvuHhhfdH', 'pH4uAJOGh2', 'Kq0uVcuk3J', 'VX4uqFRw3k', 'iOhuIbtgKn'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, DIC77dcbVGfb0ZKQVI.cs High entropy of concatenated method names: 'XEeU4GwqeU', 'H4eU3jX6YF', 'stQUkePExK', 'ftKUDvK9c6', 'edDU2gm4fN', 'uDGULaNns8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, xxo27e4qglrvAQrsmi.cs High entropy of concatenated method names: 'L9J8j4Avtb', 'oPn8GaLDvR', 'cm58FABb2P', 'MSc8u4ZlX4', 'LHZ8fd85Oe', 'ongFEiNraw', 'QkWFpMd2RO', 'UisFZFcy2y', 'mLlF0DjUm8', 'rLMFcFFVet'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, xrw0tlAqqY7H3tKyYi0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Fmld2etOMC', 'XycdRv6MOt', 'WkBdwx3NcU', 'vSRdhxflqx', 'Q0QdEx2JiP', 'bfqdpS4NHv', 'hIkdZ97os2'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, IDqXVQV0QpWLHAPx2x.cs High entropy of concatenated method names: 'Sdom3opLx', 'ouf7f70Cf', 'd5otjZnwW', 'Bn6y8U6Uf', 'k61PjhHEZ', 'sfx5Wlr5w', 'haS3Q7EkOSsxBWUSvt', 'sgHS71fOMkSjeI4qXo', 'SHNUZPvBu', 'CIGdWsr7C'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vWh1BKpdAe6ULESqsB.cs High entropy of concatenated method names: 'xvti0jENeD', 'KjmiaV5aGF', 'pPnUH4odtW', 'iZMUAns2NU', 'e9RiBHPj60', 'dDmiNo3eOe', 'tsoivmMOAq', 'Gj3i2RFJEM', 'NKNiRfFy1q', 'AvRiwnyhut'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, HTRRXi25oIY0C1PIAY.cs High entropy of concatenated method names: 'Nran6huSIp', 'b09nNl42rA', 'rban2J9ilq', 'DZXnRSAMf8', 'TZqn34ejWV', 'AjbnkELx4d', 'u7DnDRGdt2', 'PpTnLfqCxF', 'wl1nWn8Sjv', 'saGnJHC1eg'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, a4CNNYw48AkfsbTdWY.cs High entropy of concatenated method names: 'ToString', 'aDa1BjGjBN', 'ihT13Tc0PB', 'njW1kxRBwG', 's721DjkPg2', 'Aa21LP9CDh', 'h1f1W6UPkU', 'iri1J9uU5Q', 'qck1ly9L0L', 'zAm1bRqINo'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, OAZtfoGelWqo8FNBrD.cs High entropy of concatenated method names: 'Dispose', 'g2OAcXoIwx', 'uuOV3Pr1KI', 'BDj99cY5g4', 'ebfAahJ2PH', 'zoXAzP58iy', 'ProcessDialogKey', 'B9yVHIC77d', 'MVGVAfb0ZK', 'tVIVVXATW3'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, Y8MTZFAH1SfBEO3hiI0.cs High entropy of concatenated method names: 'dcnxoO9EWK', 'hPQxKnweWN', 'Qdrxmtmq9Q', 'aTJx70Ty2t', 'zhJxgBMHpH', 'SPextngJnL', 'lP0xyQT1G4', 'FICxTupXj9', 'lgexP7xk46', 'gUBx5i26aL'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, aa5nAO3deR1t0CtJ8c.cs High entropy of concatenated method names: 'jr4GBuhFl0y64dYGpIb', 'FNbtCFhAmamDjeJRTum', 'QtY8Unhyuk', 'Mv18xWCptP', 'Eb38dBKc2N', 'ItHelshis1EZVAiCB1l', 'Cu4oNKhdVS61DgiokBK'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, VrwABt5xyMU7KL8lsw.cs High entropy of concatenated method names: 'gUpFgUJ1g5', 'INJFy0ppFi', 'V6MSkCCPlT', 'CXGSDa0aM6', 'JDHSLfRO08', 'Ka6SWfFrsY', 'CeXSJe4Ofj', 'Do2SlkFi9o', 'jwBSbMqXcY', 'D8wS6Rgsey'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, vCSyCTfIWhq3JOLxpn.cs High entropy of concatenated method names: 'vkIqjaC0bO', 'yPAq9e2jcq', 'WQaqGduPh9', 'YDOqSON9P6', 'CUoqFqqOEB', 'KL1q8DAshB', 'CWCqumIODW', 'evHqfihcs0', 'PP2qCVDZSv', 'bsDqOBX3TB'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, nXy3Qav2iClUHmsmKf.cs High entropy of concatenated method names: 'LiBMTnNPAj', 'NkYMPUFmtk', 'lNjM4sHHFI', 'ocxM39f144', 'RCLMDu01hY', 'ViwMLYZLFA', 'GO3MJoOmXS', 'T3iMlkrCdL', 'jJAM6hpHA0', 'IrmMBDQgAf'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, f0Pi2hT7uJL80FX4Rh.cs High entropy of concatenated method names: 'hF9G2Ks7OB', 'aOKGRd2dAR', 'YEBGwgrWB6', 'bLsGhHaOkW', 'rJOGEFI0NO', 'Fu2Gp2rrVs', 'NtAGZPcTPP', 'DGKG0LXSLV', 'IgBGcb301K', 'oktGa6RPqq'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, FRvlGNAATApnSHHZXZS.cs High entropy of concatenated method names: 'ToString', 'pHpdqGovfT', 'mMGdI3Y6kJ', 'sfOdjr0FWo', 'TH4d9NvLvt', 'VP1dGt6PNT', 'WlxdSwxX47', 'rDvdF3yqt0', 'BKwUFgUrhFBkdpbOKSq', 'GDBoq5UQFXgAl82TfOu'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, xATW3Naow795m2pvhD.cs High entropy of concatenated method names: 'glvxAeu2ve', 'N2XxqJZTGr', 'pXsxIS0GOW', 'DeNx9OE07l', 'DcIxGGhs26', 'sTSxFvDvUJ', 'fuHx8qNEsj', 'qB0UZyE8eq', 'tcMU0OC33q', 'ShoUcV9Csx'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, TflZ91bZCGQd4nk0Hs.cs High entropy of concatenated method names: 'VXouovTkyg', 'SFAuKqRvKQ', 'UqTum5RQwg', 'dLOu7Ekf9j', 'r9GugTvVGP', 'DdsutV6ncg', 'HTIuy8f8xh', 'tc0uTXJ3jH', 'oEbuPbum6i', 'Sibu5kSAdL'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, MfhJ2P0HmoXP58iyg9.cs High entropy of concatenated method names: 'fjxU9TmNex', 'fdgUGuQLuo', 'kVHUSdCNER', 'cHVUFscTOs', 'fdMU8HXHKx', 'WKsUujAAKh', 'X87UfNpUoL', 'KW8UCrSJo8', 'ixUUOfIimE', 'qqgUYWccTf'
Source: 0.2.IMG 003.exe.44bd220.2.raw.unpack, DPuwadPEQ7EJHg5mhi.cs High entropy of concatenated method names: 'c2VS7BEZHX', 'nBNSt78kZh', 'GHXSTbDXx4', 'Qe5SP4AvZJ', 'FViSnsCWiE', 'CRPS1cMjoG', 'agCSiOjhcF', 'DyYSUHWud3', 'PNSSxmYo68', 'PPZSduHlOr'
Drops PE files
Source: C:\Users\user\Desktop\IMG 003.exe File created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\IMG 003.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 16F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 32B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 1890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 9750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: A750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: A960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: B960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: BD90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: CD90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 9750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: A960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: BD90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 12F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 3000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: 5000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 1100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 2AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 4AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 86D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 96D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 98C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: A8C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: AC90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: BC90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: CC90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: E030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: F030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 10030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 11030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 2A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory allocated: 29C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199940 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199811 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199702 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199593 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199484 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199374 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199265 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199156 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199047 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198929 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198828 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198718 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198609 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198499 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198390 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199953
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199843
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199734
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199624
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199515
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199406
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199284
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199168
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199046
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198937
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198828
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198718
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198609
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6468 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 594 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6997 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2246 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Window / User API: threadDelayed 3625 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Window / User API: threadDelayed 6209 Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Window / User API: threadDelayed 7269
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Window / User API: threadDelayed 2585
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\IMG 003.exe TID: 6720 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2020 Thread sleep count: 6468 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7144 Thread sleep count: 594 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -36893488147419080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99778s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -99015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98879s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97767s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97420s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97311s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -97092s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96871s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96544s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96428s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -96194s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -95921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -95725s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199940s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199811s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199702s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1199047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1198929s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1198828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1198718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1198609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1198499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1198390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe TID: 7492 Thread sleep time: -1198281s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99653s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99436s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99309s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99202s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -99087s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -98937s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -98742s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -98517s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -98334s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -98194s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97749s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97421s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -97092s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96873s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96656s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96544s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96326s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96218s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -96109s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -95999s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -95890s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -95781s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -95671s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -95562s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199953s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199843s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199734s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199624s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199515s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199406s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199284s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199168s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1199046s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1198937s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1198828s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1198718s >= -30000s
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe TID: 7780 Thread sleep time: -1198609s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\IMG 003.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99778 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99671 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99124 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98879 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98765 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98546 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98218 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 98000 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97889 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97767 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97640 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97531 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97420 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97311 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 97092 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96871 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96765 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96656 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96544 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96428 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96312 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 96194 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 95921 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 95725 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199940 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199811 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199702 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199593 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199484 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199374 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199265 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199156 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1199047 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198929 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198828 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198718 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198609 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198499 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198390 Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Thread delayed: delay time: 1198281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99653
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99436
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99309
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99202
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 99087
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 98937
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 98742
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 98517
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 98334
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 98194
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97749
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97531
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97421
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 97092
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96873
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96656
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96544
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96326
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96218
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 96109
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 95999
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 95890
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 95781
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 95671
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 95562
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199953
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199843
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199734
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199624
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199515
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199406
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199284
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199168
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1199046
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198937
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198828
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198718
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Thread delayed: delay time: 1198609
Source: IMG 003.exe, 00000008.00000002.2916285074.0000000001460000.00000004.00000020.00020000.00000000.sdmp, aBYKwaZ.exe, 0000000D.00000002.2915855945.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\IMG 003.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\IMG 003.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe"
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe"
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\IMG 003.exe Memory written: C:\Users\user\Desktop\IMG 003.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Memory written: C:\Users\user\AppData\Roaming\aBYKwaZ.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\IMG 003.exe" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aBYKwaZ.exe" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmpFDAB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Process created: C:\Users\user\Desktop\IMG 003.exe "C:\Users\user\Desktop\IMG 003.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBYKwaZ" /XML "C:\Users\user\AppData\Local\Temp\tmp170F.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Process created: C:\Users\user\AppData\Roaming\aBYKwaZ.exe "C:\Users\user\AppData\Roaming\aBYKwaZ.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Users\user\Desktop\IMG 003.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Users\user\Desktop\IMG 003.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Users\user\AppData\Roaming\aBYKwaZ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Users\user\AppData\Roaming\aBYKwaZ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\IMG 003.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2918405791.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2918450759.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IMG 003.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aBYKwaZ.exe PID: 7680, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\IMG 003.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\IMG 003.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\IMG 003.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\aBYKwaZ.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IMG 003.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aBYKwaZ.exe PID: 7680, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.IMG 003.exe.439e370.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.459ec50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.43d8d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.4564230.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.43d8d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.459ec50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.IMG 003.exe.439e370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.aBYKwaZ.exe.4564230.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2918405791.000000000307B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2918450759.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2918405791.0000000003083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2918405791.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2918450759.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2918450759.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2918405791.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1709332299.000000000439E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1772124355.0000000004564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: IMG 003.exe PID: 6676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: IMG 003.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aBYKwaZ.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aBYKwaZ.exe PID: 7680, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467967 Sample: IMG 003.exe Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 46 smtp.yandex.com 2->46 48 smtp.yandex.ru 2->48 50 api.ipify.org 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 13 other signatures 2->62 8 IMG 003.exe 7 2->8         started        12 aBYKwaZ.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\aBYKwaZ.exe, PE32 8->38 dropped 40 C:\Users\user\...\aBYKwaZ.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpFDAB.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\IMG 003.exe.log, ASCII 8->44 dropped 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 IMG 003.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->70 72 Machine Learning detection for dropped file 12->72 24 aBYKwaZ.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 smtp.yandex.ru 77.88.21.158, 49736, 49738, 49746 YANDEXRU Russian Federation 14->52 54 api.ipify.org 172.67.74.152, 443, 49733, 49737 CLOUDFLARENETUS United States 14->54 74 Installs a global keyboard hook 14->74 76 Loading BitLocker PowerShell Module 18->76 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.88.21.158
 smtp.yandex.ru Russian Federation
13238 YANDEXRU false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
smtp.yandex.ru 77.88.21.158 true
api.ipify.org 172.67.74.152 true
smtp.yandex.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown