Windows Analysis Report
PO 102675-PI C247SH45.exe

Overview

General Information

Sample name: PO 102675-PI C247SH45.exe
Analysis ID: 1501075
MD5: fc67feff386a251162f941b610f01eeb
SHA1: 482f7f3f808cc0997df34d8847b676fde1d1147a
SHA256: b2fb490ecbe535fb56d2e56751bbe28eb84e4c08c04ee5517f8dc462743df83e
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://mail.iaa-airferight.com Avira URL Cloud: Label: malware
Found malware configuration
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
Multi AV Scanner detection for domain / URL
Source: mail.iaa-airferight.com Virustotal: Detection: 8% Perma Link
Source: http://mail.iaa-airferight.com Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Virustotal: Detection: 62% Perma Link
Multi AV Scanner detection for submitted file
Source: PO 102675-PI C247SH45.exe ReversingLabs: Detection: 57%
Source: PO 102675-PI C247SH45.exe Virustotal: Detection: 62% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO 102675-PI C247SH45.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO 102675-PI C247SH45.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PO 102675-PI C247SH45.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 46.175.148.58 46.175.148.58
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49706 -> 46.175.148.58:25
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mail.iaa-airferight.com
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2792486568.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, cfEpcI.exe, 0000000E.00000002.2793018287.0000000002E57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.iaa-airferight.com
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.0000000003516000.00000004.00000800.00020000.00000000.sdmp, cfEpcI.exe, 0000000A.00000002.1615626316.0000000002A96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, PO 102675-PI C247SH45.exe, 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, cfEpcI.exe, 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, SKTzxzsJw.cs .Net Code: sf6jJs8S
Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, SKTzxzsJw.cs .Net Code: sf6jJs8S

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_01649378 9_2_01649378
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_01649B38 9_2_01649B38
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_01644A98 9_2_01644A98
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_0164CDB0 9_2_0164CDB0
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_01643E80 9_2_01643E80
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_016441C8 9_2_016441C8
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_066756D8 9_2_066756D8
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_06673F48 9_2_06673F48
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_06672F00 9_2_06672F00
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_0667BD00 9_2_0667BD00
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_0667DD10 9_2_0667DD10
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_06679AE0 9_2_06679AE0
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_06678B98 9_2_06678B98
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_06670040 9_2_06670040
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_06673650 9_2_06673650
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_06674FF8 9_2_06674FF8
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Code function: 9_2_0667DB68 9_2_0667DB68
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_027C38AC 10_2_027C38AC
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_027C1458 10_2_027C1458
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_027C1E18 10_2_027C1E18
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_027C1E0B 10_2_027C1E0B
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_027C3DD0 10_2_027C3DD0
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C747A8 10_2_06C747A8
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C78569 10_2_06C78569
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C70AB0 10_2_06C70AB0
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C777E8 10_2_06C777E8
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C79760 10_2_06C79760
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C704F0 10_2_06C704F0
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C704B9 10_2_06C704B9
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C70500 10_2_06C70500
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C773B0 10_2_06C773B0
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C79328 10_2_06C79328
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C7EE38 10_2_06C7EE38
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C77C20 10_2_06C77C20
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C70AA0 10_2_06C70AA0
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_013C9378 14_2_013C9378
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_013C9B38 14_2_013C9B38
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_013C4A98 14_2_013C4A98
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_013CCDB0 14_2_013CCDB0
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_013C3E80 14_2_013C3E80
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_013C41C8 14_2_013C41C8
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_062356D8 14_2_062356D8
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_06232F00 14_2_06232F00
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_06233F48 14_2_06233F48
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_0623BD00 14_2_0623BD00
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_0623DD00 14_2_0623DD00
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_06239AE0 14_2_06239AE0
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_06238B98 14_2_06238B98
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_06230040 14_2_06230040
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_06233650 14_2_06233650
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 14_2_06234FF8 14_2_06234FF8
PE / OLE file has an invalid certificate
Source: PO 102675-PI C247SH45.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: PO 102675-PI C247SH45.exe, 00000000.00000000.1528780222.0000000000E52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelingxi_win_ia32_1.43.1.exe0 vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.00000000032EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSalmun.dll. vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1569425068.000000000164E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.0000000003516000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1571966268.0000000004C89000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1578581845.0000000009ED0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1576696348.0000000005BD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSalmun.dll. vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.0000000003271000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSalmun.dll. vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2789687228.0000000000FF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO 102675-PI C247SH45.exe
Source: PO 102675-PI C247SH45.exe Binary or memory string: OriginalFilenamelingxi_win_ia32_1.43.1.exe0 vs PO 102675-PI C247SH45.exe
Uses 32bit PE files
Source: PO 102675-PI C247SH45.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: PO 102675-PI C247SH45.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cfEpcI.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, XZNGMaRh1iVe1T7tRw.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, XZNGMaRh1iVe1T7tRw.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File created: C:\Users\user\AppData\Roaming\cfEpcI.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Mutant created: \Sessions\1\BaseNamedObjects\lLtGeCKPLLzGHEf
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File created: C:\Users\user\AppData\Local\Temp\tmpE520.tmp Jump to behavior
Source: PO 102675-PI C247SH45.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO 102675-PI C247SH45.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO 102675-PI C247SH45.exe ReversingLabs: Detection: 57%
Source: PO 102675-PI C247SH45.exe Virustotal: Detection: 62%
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File read: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\cfEpcI.exe C:\Users\user\AppData\Roaming\cfEpcI.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process created: C:\Users\user\AppData\Roaming\cfEpcI.exe "C:\Users\user\AppData\Roaming\cfEpcI.exe"
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process created: C:\Users\user\AppData\Roaming\cfEpcI.exe "C:\Users\user\AppData\Roaming\cfEpcI.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: PO 102675-PI C247SH45.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO 102675-PI C247SH45.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: PO 102675-PI C247SH45.exe, Form2.cs .Net Code: _206E_206E_206E_200E_200D_200C_206B_202E_200F_202D_202E_206E_202E_202D_200B_200C_206D_200D_200B_202C_200B_202D_202E_202E_202C_206F_200D_200C_202C_206F_206D_206F_200C_206C_202A_200D_200E_206D_202A_200F_202E System.Reflection.Assembly.Load(byte[])
Source: cfEpcI.exe.0.dr, Form2.cs .Net Code: _206E_206E_206E_200E_200D_200C_206B_202E_200F_202D_202E_206E_202E_202D_200B_200C_206D_200D_200B_202C_200B_202D_202E_202E_202C_206F_200D_200C_202C_206F_206D_206F_200C_206C_202A_200D_200E_206D_202A_200F_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.cs .Net Code: gS4X5Y5rNM System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO 102675-PI C247SH45.exe.5bb0000.9.raw.unpack, PingPong.cs .Net Code: _202B_206B_206C_202A_206A_202A_200D_200F_200B_202D_206D_202A_206D_206E_206A_202B_200F_200D_202B_202B_202D_206C_200F_206C_206A_206E_200C_202D_206F_206D_206A_202D_200C_200D_200E_206D_200E_202D_206E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.cs .Net Code: gS4X5Y5rNM System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_027C8ABE push 6900B2AEh; ret 10_2_027C8AC3
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Code function: 10_2_06C7E090 pushad ; iretd 10_2_06C7E091
Source: PO 102675-PI C247SH45.exe Static PE information: section name: .text entropy: 7.741414937120459
Source: cfEpcI.exe.0.dr Static PE information: section name: .text entropy: 7.741414937120459
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, Dbc3IgX1pIbLinsKnQ.cs High entropy of concatenated method names: 'VHcPeEQxkE', 'keOP1uUGD2', 'KWePYXGmvU', 'mHLPcE8Gn9', 'aBoPVFHojV', 'w2aPRululZ', 'PSlPCLt2Gl', 'CDbPscLYP0', 'L4RPWoMx54', 'ho5PSfZwxm'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, EZeN25cUnTlvDeDFeY.cs High entropy of concatenated method names: 'U0LEwsWD57', 'dvJE3M4E7u', 'eN3Ug91OWJ', 'P5fUVKKNao', 'JM3URUmdDy', 'L92UTOm1Q1', 'DFWUCZtYo5', 'JBGUsbtMk2', 'R3xUHCxP6q', 'K3qUWH4mR0'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, TUtqE3NYx5moihSS3m.cs High entropy of concatenated method names: 'N22jv1cM6i', 'yLqjK0Gpgr', 'ToString', 'ukxjuylvMB', 'BA6jl6DXIY', 'tY3jUE7Qo4', 'C47jEW9LN7', 'JVIjyV41eH', 'duujL4QNd1', 'ax9jtMxCfN'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, MixCIbONTxYKq4JYeR.cs High entropy of concatenated method names: 'Dispose', 'kQ6poVcogM', 'DCN4cT4eNW', 'DtTMMZckUb', 'X3KpxtmXPK', 'znbpzEjKDu', 'ProcessDialogKey', 'JGn4mcDhWb', 'XIq4pLp5O4', 'MSe44D0q3W'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, TUssRygDr8sjbG2ASb.cs High entropy of concatenated method names: 'btNUJaE2I4', 'HSFUfBf7ne', 'aLQUexO8Vq', 'cBrU17QGgl', 'mvgUqAWe8W', 'bXTU2CfAcV', 'sbVUjj6v7r', 'i06UFBtjQg', 'B0YUb705nJ', 'f82UhUnuZA'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, dI766yvWoXEifPqtC3.cs High entropy of concatenated method names: 'zqSFul809L', 'bcyFl6D273', 'xGtFUhk5hQ', 'sLdFEO5fqa', 'mVXFy8aOvA', 'xLkFL5SU7F', 'HMUFtVG27X', 'lb0FdMUirh', 'PEeFvkF6HU', 'KYAFKQ0SeW'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, bCVkPj2qb5Ob5NYp2l.cs High entropy of concatenated method names: 'Fi0yZAsGMO', 'z6Dyl35PtF', 'KTwyEMV30r', 'D2XyL82aTX', 'wMvytpNZFO', 'CK9ErW7PdX', 'FMVEifMmG3', 'MtSE7SCOH1', 'i9BEBKJOnu', 'I8UEoj6UYn'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, Gfi7r87ifsLFGY2M1A.cs High entropy of concatenated method names: 'mOKpL2LOeX', 'Hk4ptObq5x', 'ENbpv5Ecfr', 'GLjpKevRMX', 'NqQpqtskyv', 'xxpp28aAQI', 'Iy7nV4Vml6i2JDHZgc', 'EjBPDB39AJqHdyj5dt', 'qjGxxExOEM5VHta2p2', 'mdipp7evTg'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, XZNGMaRh1iVe1T7tRw.cs High entropy of concatenated method names: 'hWkl9ywE1J', 'mimlNN8Kfr', 'r9wl8KD0le', 'krhlncQG4b', 'usRlrWh1qn', 'pvAliXFDi0', 'Alal7MBjta', 'fmQlBUh3AE', 'WImloc7UNS', 'SywlxMr4RL'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, wTVEfVjdfxonTGLWVt.cs High entropy of concatenated method names: 'AalbpEJCAx', 'mmFbDO9XkW', 'gfBbX19ERI', 'mmnbuXDZ4b', 'NaUblufxP7', 'vbSbEoaM0I', 'wZRbyUrehu', 'DSDF71MIp7', 'doWFBesAK8', 'QDuFo4GSbq'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.cs High entropy of concatenated method names: 'FDyDZfwegY', 'F5CDuPIyZG', 'E6VDlKNfo6', 'riKDUy1lq9', 'FRXDEhMO5i', 'mvYDyE8aWC', 'QDVDLHFQR1', 'FmTDtjUqv2', 'ofEDdvgVg2', 'hO3DvouLBG'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, F7PXvwkbCrp0yksg4y.cs High entropy of concatenated method names: 'KDdjBkL4Po', 'zdvjxo7oBL', 'fIiFm7wifw', 'iTAFpbGprP', 'AdJjS9l1Z7', 'EqUjaFuFDK', 'aKkjOktwda', 'znCj9Qe6q3', 'iGQjN7lS3v', 'a4Kj8Lvsu2'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, dKqS8cFIN1dX56nNFY.cs High entropy of concatenated method names: 'AljL0vodjs', 'mhoL6kmqe4', 'i8kL5RJ1jy', 'MO1LJQrFLR', 'iXxLwBnr5b', 'qjMLf4529C', 'MCCL3pSpLi', 'hJcLeLM69E', 'JXgL1EEo08', 'pmELkBDxDF'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, iCOmEBKMDjAh6X6SK2y.cs High entropy of concatenated method names: 'nYAb0MxgTU', 'jJ9b6o8xf3', 'g4sb5hUjYp', 'vi2bJyvKR7', 'PsQbw7UOok', 'SHYbfojMWu', 'x3Yb3VhBxl', 'J9XbeUAbiQ', 'jkcb12qkOs', 'KFwbk8jsn3'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, BKQ4dd4VQCEcwOGDg0.cs High entropy of concatenated method names: 'xHg5meUwI', 'vS4Jo0i2L', 'ailfyOONA', 'C1g3qhPp7', 'Bsj1baXxc', 'ftMkQcmMu', 'Pw4AiqXW7RmSXsCYxN', 'tWN5TskpsRic2C1XjE', 'imiFitVPW', 'RsmhbNRUa'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, CcCRQVxa89tGTbPktF.cs High entropy of concatenated method names: 'kXPqWpbYmg', 'RA1qaV9nPY', 'vAgq9bLaFv', 'coPqN6mUda', 'LBXqcCjsU9', 'qQTqgLnFhy', 'aDeqVfhXcp', 'GMrqR4RDFD', 'modqTM5DFo', 'PPuqCZFdqx'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, SsoqpGzoVWwgTYwUET.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'seXbPBfITh', 'tX7bqScaNT', 'vhub2n0aO4', 'HDnbj83TmM', 'dPXbFnhA19', 'AnPbbQpJMx', 'KBdbhbqbiv'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, SGbsmiHhmglYislFr9.cs High entropy of concatenated method names: 'vbELuHN13T', 'bCkLUOxJVU', 'c9NLyEmPPU', 'WDayxq0swQ', 'bIoyzGsOVF', 'ON5LmiC3n6', 'Ul2LpKbDZt', 'fvoL49I7De', 'BT8LD2g9jQ', 'aGiLXYjcF6'
Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, I7B4uAKw8ph5eVgtCWE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OxAh91gJ5T', 'YxNhNhopol', 'MwIh89Bnaf', 'A6KhneIe73', 'YW3hrBc86T', 'LWjhii3oxq', 'pAuh7w9iZ6'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, Dbc3IgX1pIbLinsKnQ.cs High entropy of concatenated method names: 'VHcPeEQxkE', 'keOP1uUGD2', 'KWePYXGmvU', 'mHLPcE8Gn9', 'aBoPVFHojV', 'w2aPRululZ', 'PSlPCLt2Gl', 'CDbPscLYP0', 'L4RPWoMx54', 'ho5PSfZwxm'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, EZeN25cUnTlvDeDFeY.cs High entropy of concatenated method names: 'U0LEwsWD57', 'dvJE3M4E7u', 'eN3Ug91OWJ', 'P5fUVKKNao', 'JM3URUmdDy', 'L92UTOm1Q1', 'DFWUCZtYo5', 'JBGUsbtMk2', 'R3xUHCxP6q', 'K3qUWH4mR0'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, TUtqE3NYx5moihSS3m.cs High entropy of concatenated method names: 'N22jv1cM6i', 'yLqjK0Gpgr', 'ToString', 'ukxjuylvMB', 'BA6jl6DXIY', 'tY3jUE7Qo4', 'C47jEW9LN7', 'JVIjyV41eH', 'duujL4QNd1', 'ax9jtMxCfN'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, MixCIbONTxYKq4JYeR.cs High entropy of concatenated method names: 'Dispose', 'kQ6poVcogM', 'DCN4cT4eNW', 'DtTMMZckUb', 'X3KpxtmXPK', 'znbpzEjKDu', 'ProcessDialogKey', 'JGn4mcDhWb', 'XIq4pLp5O4', 'MSe44D0q3W'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, TUssRygDr8sjbG2ASb.cs High entropy of concatenated method names: 'btNUJaE2I4', 'HSFUfBf7ne', 'aLQUexO8Vq', 'cBrU17QGgl', 'mvgUqAWe8W', 'bXTU2CfAcV', 'sbVUjj6v7r', 'i06UFBtjQg', 'B0YUb705nJ', 'f82UhUnuZA'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, dI766yvWoXEifPqtC3.cs High entropy of concatenated method names: 'zqSFul809L', 'bcyFl6D273', 'xGtFUhk5hQ', 'sLdFEO5fqa', 'mVXFy8aOvA', 'xLkFL5SU7F', 'HMUFtVG27X', 'lb0FdMUirh', 'PEeFvkF6HU', 'KYAFKQ0SeW'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, bCVkPj2qb5Ob5NYp2l.cs High entropy of concatenated method names: 'Fi0yZAsGMO', 'z6Dyl35PtF', 'KTwyEMV30r', 'D2XyL82aTX', 'wMvytpNZFO', 'CK9ErW7PdX', 'FMVEifMmG3', 'MtSE7SCOH1', 'i9BEBKJOnu', 'I8UEoj6UYn'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, Gfi7r87ifsLFGY2M1A.cs High entropy of concatenated method names: 'mOKpL2LOeX', 'Hk4ptObq5x', 'ENbpv5Ecfr', 'GLjpKevRMX', 'NqQpqtskyv', 'xxpp28aAQI', 'Iy7nV4Vml6i2JDHZgc', 'EjBPDB39AJqHdyj5dt', 'qjGxxExOEM5VHta2p2', 'mdipp7evTg'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, XZNGMaRh1iVe1T7tRw.cs High entropy of concatenated method names: 'hWkl9ywE1J', 'mimlNN8Kfr', 'r9wl8KD0le', 'krhlncQG4b', 'usRlrWh1qn', 'pvAliXFDi0', 'Alal7MBjta', 'fmQlBUh3AE', 'WImloc7UNS', 'SywlxMr4RL'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, wTVEfVjdfxonTGLWVt.cs High entropy of concatenated method names: 'AalbpEJCAx', 'mmFbDO9XkW', 'gfBbX19ERI', 'mmnbuXDZ4b', 'NaUblufxP7', 'vbSbEoaM0I', 'wZRbyUrehu', 'DSDF71MIp7', 'doWFBesAK8', 'QDuFo4GSbq'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.cs High entropy of concatenated method names: 'FDyDZfwegY', 'F5CDuPIyZG', 'E6VDlKNfo6', 'riKDUy1lq9', 'FRXDEhMO5i', 'mvYDyE8aWC', 'QDVDLHFQR1', 'FmTDtjUqv2', 'ofEDdvgVg2', 'hO3DvouLBG'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, F7PXvwkbCrp0yksg4y.cs High entropy of concatenated method names: 'KDdjBkL4Po', 'zdvjxo7oBL', 'fIiFm7wifw', 'iTAFpbGprP', 'AdJjS9l1Z7', 'EqUjaFuFDK', 'aKkjOktwda', 'znCj9Qe6q3', 'iGQjN7lS3v', 'a4Kj8Lvsu2'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, dKqS8cFIN1dX56nNFY.cs High entropy of concatenated method names: 'AljL0vodjs', 'mhoL6kmqe4', 'i8kL5RJ1jy', 'MO1LJQrFLR', 'iXxLwBnr5b', 'qjMLf4529C', 'MCCL3pSpLi', 'hJcLeLM69E', 'JXgL1EEo08', 'pmELkBDxDF'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, iCOmEBKMDjAh6X6SK2y.cs High entropy of concatenated method names: 'nYAb0MxgTU', 'jJ9b6o8xf3', 'g4sb5hUjYp', 'vi2bJyvKR7', 'PsQbw7UOok', 'SHYbfojMWu', 'x3Yb3VhBxl', 'J9XbeUAbiQ', 'jkcb12qkOs', 'KFwbk8jsn3'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, BKQ4dd4VQCEcwOGDg0.cs High entropy of concatenated method names: 'xHg5meUwI', 'vS4Jo0i2L', 'ailfyOONA', 'C1g3qhPp7', 'Bsj1baXxc', 'ftMkQcmMu', 'Pw4AiqXW7RmSXsCYxN', 'tWN5TskpsRic2C1XjE', 'imiFitVPW', 'RsmhbNRUa'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, CcCRQVxa89tGTbPktF.cs High entropy of concatenated method names: 'kXPqWpbYmg', 'RA1qaV9nPY', 'vAgq9bLaFv', 'coPqN6mUda', 'LBXqcCjsU9', 'qQTqgLnFhy', 'aDeqVfhXcp', 'GMrqR4RDFD', 'modqTM5DFo', 'PPuqCZFdqx'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, SsoqpGzoVWwgTYwUET.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'seXbPBfITh', 'tX7bqScaNT', 'vhub2n0aO4', 'HDnbj83TmM', 'dPXbFnhA19', 'AnPbbQpJMx', 'KBdbhbqbiv'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, SGbsmiHhmglYislFr9.cs High entropy of concatenated method names: 'vbELuHN13T', 'bCkLUOxJVU', 'c9NLyEmPPU', 'WDayxq0swQ', 'bIoyzGsOVF', 'ON5LmiC3n6', 'Ul2LpKbDZt', 'fvoL49I7De', 'BT8LD2g9jQ', 'aGiLXYjcF6'
Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, I7B4uAKw8ph5eVgtCWE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OxAh91gJ5T', 'YxNhNhopol', 'MwIh89Bnaf', 'A6KhneIe73', 'YW3hrBc86T', 'LWjhii3oxq', 'pAuh7w9iZ6'
Drops PE files
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File created: C:\Users\user\AppData\Roaming\cfEpcI.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 1620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 3270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 3090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 7710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 8710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 8890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 9890000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 9F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: AF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: BF50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 1640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 3070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 27F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: A80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 6D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 6AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 7D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 8D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 93B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: A3B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: B3B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 1270000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 2E00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory allocated: 2D00000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7875 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 792 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7222 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2161 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Window / User API: threadDelayed 4167 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Window / User API: threadDelayed 5655 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Window / User API: threadDelayed 1705
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Window / User API: threadDelayed 8160
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 6356 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2516 Thread sleep count: 7875 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588 Thread sleep count: 792 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4808 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2648 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -99813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 6008 Thread sleep count: 4167 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -99697s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -99578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -99438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 6008 Thread sleep count: 5655 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -99188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -99072s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98966s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98157s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -98032s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97907s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -97063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96329s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -96079s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95329s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -95079s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94329s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -94079s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -93954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912 Thread sleep time: -93829s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 1316 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 2920 Thread sleep count: 1705 > 30
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 2920 Thread sleep count: 8160 > 30
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99668s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99561s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99344s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98576s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98467s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98150s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97703s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97594s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97266s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -97046s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96937s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96828s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96719s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96609s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96500s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96390s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96281s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96168s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -96047s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95937s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95828s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95719s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95609s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95500s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95391s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95281s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95172s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -95062s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -94953s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -94844s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -94734s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -94625s >= -30000s
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056 Thread sleep time: -94516s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 99813 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 99697 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 99578 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 99438 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 99188 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 99072 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98966 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98860 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98750 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98641 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98500 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98374 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98265 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98157 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 98032 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97907 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97782 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97672 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97563 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97438 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97313 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 97063 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96954 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96829 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96704 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96579 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96454 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96329 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96204 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 96079 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95954 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95829 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95704 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95579 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95454 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95329 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95204 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 95079 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94954 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94829 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94704 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94579 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94454 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94329 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94204 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 94079 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 93954 Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Thread delayed: delay time: 93829 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99668
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99561
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99344
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98576
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98467
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98150
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97922
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97703
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97594
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97266
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97156
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 97046
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96937
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96828
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96719
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96609
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96500
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96390
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96281
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96168
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 96047
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95937
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95828
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95719
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95609
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95500
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95391
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95281
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95172
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 95062
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 94953
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 94844
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 94734
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 94625
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Thread delayed: delay time: 94516
Source: cfEpcI.exe, 0000000A.00000002.1614391489.0000000000A04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1569706995.0000000001720000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2791699933.00000000014FF000.00000004.00000020.00020000.00000000.sdmp, cfEpcI.exe, 0000000E.00000002.2790878961.00000000010BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Memory written: C:\Users\user\AppData\Roaming\cfEpcI.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp" Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Process created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Process created: C:\Users\user\AppData\Roaming\cfEpcI.exe "C:\Users\user\AppData\Roaming\cfEpcI.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Users\user\AppData\Roaming\cfEpcI.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Users\user\AppData\Roaming\cfEpcI.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2793018287.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2792486568.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfEpcI.exe PID: 5348, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\cfEpcI.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfEpcI.exe PID: 5348, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2793018287.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2792486568.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cfEpcI.exe PID: 5348, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501075 Sample: PO 102675-PI C247SH45.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 13 other signatures 2->56 8 PO 102675-PI C247SH45.exe 7 2->8         started        12 cfEpcI.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\cfEpcI.exe, PE32 8->38 dropped 40 C:\Users\user\...\cfEpcI.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpE520.tmp, XML 8->42 dropped 44 C:\Users\...\PO 102675-PI C247SH45.exe.log, ASCII 8->44 dropped 58 Adds a directory exclusion to Windows Defender 8->58 14 PO 102675-PI C247SH45.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        60 Multi AV Scanner detection for dropped file 12->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->62 64 Machine Learning detection for dropped file 12->64 66 Injects a PE file into a foreign processes 12->66 24 cfEpcI.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->48 68 Loading BitLocker PowerShell Module 18->68 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->70 72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal ftp login credentials 24->74 76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.175.148.58
 mail.iaa-airferight.com Ukraine
56394 ASLAGIDKOM-NETUA true

Contacted Domains

Name IP Active
mail.iaa-airferight.com 46.175.148.58 true