Windows Analysis Report
z38PO_20248099-1_pdf.exe

Overview

General Information

Sample name: z38PO_20248099-1_pdf.exe
Analysis ID: 1518233
MD5: 5d5b5ecc06b9058d0ec3199ed8617cfe
SHA1: cbb1a95878e8a7a4ac09270a6dc7699c78996e28
SHA256: 0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6
Tags: AgentTeslaexeuser-Porcupine
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 19.2.sgxIb.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: z38PO_20248099-1_pdf.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: z38PO_20248099-1_pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: z38PO_20248099-1_pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:55429 version: TLS 1.2
Source: z38PO_20248099-1_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: xaHV.pdbSHA256? source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr
Source: Binary string: xaHV.pdb source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 4x nop then jmp 07114AC0h 0_2_071145C0
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 4x nop then inc dword ptr [ebp-0Ch] 11_2_055C5454
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 4x nop then jmp 06D93D60h 21_2_06D93860

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:55431 -> 110.4.45.197:54539
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49719 -> 110.4.45.197:58009
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:49717 -> 110.4.45.197:21
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:55430 -> 110.4.45.197:21
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:49723 -> 110.4.45.197:21
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49726 -> 110.4.45.197:53264
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 110.4.45.197 ports 65044,63289,57088,53264,60779,54891,58978,52851,59326,54510,57687,50852,55829,54539,1,56820,51370,60205,60403,54484,2,58009,63809,56189,51237,50701,60062,21
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49715 -> 110.4.45.197:54484
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses FTP
Source: unknown FTP traffic detected: 110.4.45.197:21 -> 192.168.2.9:49712 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ftp.haliza.com.my
Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002AD3000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.00000000035CD000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003681000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.000000000358E000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000330B000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000325F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.haliza.com.my
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1446067123.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000B.00000002.1494492070.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000010.00000002.1556961678.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000015.00000002.1639610353.0000000002625000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55429
Source: unknown Network traffic detected: HTTP traffic on port 55429 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:55429 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, SKTzxzsJw.cs .Net Code: _71ZRqC1D
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, SKTzxzsJw.cs .Net Code: _71ZRqC1D
Installs a global keyboard hook
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: z38PO_20248099-1_pdf.exe
Source: initial sample Static PE information: Filename: z38PO_20248099-1_pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_0102DF9C 0_2_0102DF9C
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_050BA070 0_2_050BA070
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_050BF398 0_2_050BF398
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_050B5BF8 0_2_050B5BF8
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_07116588 0_2_07116588
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_07110040 0_2_07110040
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_02654A68 10_2_02654A68
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_0265E9F8 10_2_0265E9F8
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_02653E50 10_2_02653E50
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_0265AF37 10_2_0265AF37
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_02654198 10_2_02654198
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064AC52C 10_2_064AC52C
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A3784 10_2_064A3784
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A6096 10_2_064A6096
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A53A8 10_2_064A53A8
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A53A2 10_2_064A53A2
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A1CC0 10_2_064A1CC0
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C56A8 10_2_064C56A8
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C6700 10_2_064C6700
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C3578 10_2_064C3578
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064CB342 10_2_064CB342
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C7E90 10_2_064C7E90
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C274A 10_2_064C274A
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C77B0 10_2_064C77B0
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064CE4C8 10_2_064CE4C8
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C0040 10_2_064C0040
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C5DF7 10_2_064C5DF7
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064C003E 10_2_064C003E
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_01454AFF 11_2_01454AFF
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_0145DF9C 11_2_0145DF9C
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_055982F8 11_2_055982F8
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_05590518 11_2_05590518
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_05590508 11_2_05590508
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_055982EA 11_2_055982EA
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_055C5B97 11_2_055C5B97
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_055C5BA8 11_2_055C5BA8
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_03214A68 15_2_03214A68
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_0321E9F8 15_2_0321E9F8
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_03213E50 15_2_03213E50
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_03214198 15_2_03214198
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F3C6CC 15_2_06F3C6CC
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F31AA8 15_2_06F31AA8
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F35542 15_2_06F35542
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F35548 15_2_06F35548
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F31E68 15_2_06F31E68
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F456A8 15_2_06F456A8
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F46700 15_2_06F46700
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F43578 15_2_06F43578
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F47E90 15_2_06F47E90
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F477B0 15_2_06F477B0
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F42710 15_2_06F42710
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F4E4C8 15_2_06F4E4C8
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F40040 15_2_06F40040
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F45DF7 15_2_06F45DF7
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_06F4003E 15_2_06F4003E
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_01704AFF 16_2_01704AFF
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_0170DF9C 16_2_0170DF9C
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_058682F8 16_2_058682F8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05860508 16_2_05860508
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05860518 16_2_05860518
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_058604C0 16_2_058604C0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_058682EB 16_2_058682EB
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05ECA070 16_2_05ECA070
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05ECF398 16_2_05ECF398
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05EC5C08 16_2_05EC5C08
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05EC5C00 16_2_05EC5C00
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05EC5BF8 16_2_05EC5BF8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_03024A68 19_2_03024A68
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_0302E8D8 19_2_0302E8D8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_03023E50 19_2_03023E50
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_0302AC70 19_2_0302AC70
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_03024198 19_2_03024198
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD56B0 19_2_06DD56B0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD6708 19_2_06DD6708
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD3580 19_2_06DD3580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD7E98 19_2_06DD7E98
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD77B8 19_2_06DD77B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD0040 19_2_06DD0040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD5DFF 19_2_06DD5DFF
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_06DD0007 19_2_06DD0007
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 21_2_00C3DF9C 21_2_00C3DF9C
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 21_2_06D95768 21_2_06D95768
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 21_2_06D90040 21_2_06D90040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 21_2_06D95178 21_2_06D95178
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_01514A68 24_2_01514A68
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_0151AC70 24_2_0151AC70
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_01513E50 24_2_01513E50
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_01514198 24_2_01514198
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_0151E9BF 24_2_0151E9BF
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC6708 24_2_06CC6708
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC3580 24_2_06CC3580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC77B8 24_2_06CC77B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CCE4D0 24_2_06CCE4D0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC5DFF 24_2_06CC5DFF
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC2349 24_2_06CC2349
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC0040 24_2_06CC0040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC003F 24_2_06CC003F
Sample file is different than original file name gathered from version info
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs z38PO_20248099-1_pdf.exe
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1446067123.0000000002C59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs z38PO_20248099-1_pdf.exe
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs z38PO_20248099-1_pdf.exe
Source: z38PO_20248099-1_pdf.exe, 00000000.00000000.1387309035.000000000067A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexaHV.exeb! vs z38PO_20248099-1_pdf.exe
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1440691328.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs z38PO_20248099-1_pdf.exe
Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1449696079.0000000007630000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs z38PO_20248099-1_pdf.exe
Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3854298767.00000000008F9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z38PO_20248099-1_pdf.exe
Source: z38PO_20248099-1_pdf.exe Binary or memory string: OriginalFilenamexaHV.exeb! vs z38PO_20248099-1_pdf.exe
Uses 32bit PE files
Source: z38PO_20248099-1_pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: z38PO_20248099-1_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FrFvspxoHsPs.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, hyUOVBe1ZWdha1wZaD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs Security API names: _0020.SetAccessControl
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs Security API names: _0020.AddAccessRule
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, hyUOVBe1ZWdha1wZaD.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs Security API names: _0020.SetAccessControl
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@33/20@2/2
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Mutant created: \Sessions\1\BaseNamedObjects\TXGnEFlEXydaiQyuTdtXJztKri
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmpD40B.tmp Jump to behavior
Source: z38PO_20248099-1_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z38PO_20248099-1_pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z38PO_20248099-1_pdf.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File read: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: z38PO_20248099-1_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: z38PO_20248099-1_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: z38PO_20248099-1_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: xaHV.pdbSHA256? source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr
Source: Binary string: xaHV.pdb source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: z38PO_20248099-1_pdf.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: FrFvspxoHsPs.exe.0.dr, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs .Net Code: qEJ4BgbjJ7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.z38PO_20248099-1_pdf.exe.5680000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.z38PO_20248099-1_pdf.exe.2bd7f58.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs .Net Code: qEJ4BgbjJ7 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_050B5FA8 push eax; retn 050Ah 0_2_050B6009
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_050B57ED push edx; iretd 0_2_050B57FB
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_07115FF3 push FFFFFF8Bh; iretd 0_2_07115FFB
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_07116032 push FFFFFF8Bh; iretd 0_2_0711603A
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 0_2_07116077 push FFFFFF8Bh; iretd 0_2_0711607F
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_02650C55 push ebx; retf 10_2_02650C52
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_02650C55 push edi; retf 10_2_02650C7A
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A212A push ss; ret 10_2_064A212E
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064AEA70 push es; ret 10_2_064AEA80
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A4A9E push ecx; retf 10_2_064A4ACC
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064AA872 push es; ret 10_2_064AA880
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Code function: 10_2_064A3E58 push ecx; iretd 10_2_064A3E1C
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 11_2_055CFEA8 push eax; mov dword ptr [esp], ecx 11_2_055CFEBC
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_0321F8E8 pushad ; retf 15_2_0321F8F1
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Code function: 15_2_03210C55 push edi; retf 15_2_03210C7A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05EC57F4 push edx; iretd 16_2_05EC57FB
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05EC4ECC push eax; retn 05EBh 16_2_05EC6009
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05EC09E8 push eax; ret 16_2_05EC0A13
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 16_2_05EC09E1 push eax; ret 16_2_05EC0A13
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_0302F7C8 pushad ; retf 19_2_0302F7D1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 19_2_03020C55 push edi; retf 19_2_03020C7A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_0151F7C8 pushad ; retf 24_2_0151F7D1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_01510C55 push edi; retf 24_2_01510C7A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC7E88 push es; ret 24_2_06CC7E96
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC9E82 push es; ret 24_2_06CC9E8E
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CCE4BA push cs; ret 24_2_06CCE4CE
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Code function: 24_2_06CC3513 push esp; ret 24_2_06CC352A
Source: z38PO_20248099-1_pdf.exe Static PE information: section name: .text entropy: 7.8170394032595425
Source: FrFvspxoHsPs.exe.0.dr Static PE information: section name: .text entropy: 7.8170394032595425
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, KiELhXYqyrVZFhQm9F.cs High entropy of concatenated method names: 'WQwm6gv9f6', 'XfAmTbGL5G', 'ToString', 'WyPmD9wyUK', 'mvGmn5yPbr', 'QOqm1rPWPD', 'Lcamk37kOf', 'VPNmG6UXO1', 'knPmMWB3Dg', 'siumHKE0rd'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, LosAFPfFkBtD5oRCm2.cs High entropy of concatenated method names: 'OWH12OXe09', 'qwJ1wSdLWf', 'kTi1ef5h1I', 'HRb1f3DrKr', 'ij31x1JdkX', 'qiI1VZrNBo', 'dp31m7Q08Y', 'IXl1u93Ups', 'Xn01Kdfyuh', 'Uts17rW8xu'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, gtyGge5Kctx3uBBAdU.cs High entropy of concatenated method names: 'mmGBqq7aD', 'xLd2PiFJf', 'GvTw2CtOR', 'jHsssupJ7', 'TTnfMPdIK', 'ykcNXXthO', 'AMSX7KVOArCvgFfP8v', 'GaNwl3hpfBQYCPf6eW', 'XmyuHR8tS', 'zUw7mQdp0'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, Btk7iA0RH8qsXNA6XR.cs High entropy of concatenated method names: 'sfDMDZXSRG', 'gG4M1ryWYo', 'J2AMG9Hq8h', 'DVRGqxh6b0', 'iQHGzEuC7h', 'Oa7MliaVfe', 'rKAMpp1CnG', 'NvhM5wW4UV', 'BQrMCVndqT', 'KIkM4j2EFx'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, mIbugt8UBrxYxJw7d9.cs High entropy of concatenated method names: 'e3QxR2LZ5N', 'KWSxIZx8w1', 'a63x83fXoI', 'aJHxQhaEwl', 'OwixrAIPvE', 'TgkxdkNH2D', 'JTsxyQXttN', 'nD9xLkyQmb', 'jrmxoWrl8s', 'yYpx0h2YyJ'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, NQgoNYzj1EmPVwiDCI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p28Kjp6YnY', 'rqaKxKWW3m', 'j79KVTmwsh', 'pLCKmwjiqT', 'dGfKum3DUr', 'N5aKKee1CP', 'aFlK7L2fQo'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, XLS43Ob5jtstyTsgIa.cs High entropy of concatenated method names: 'rahGZOsbsQ', 'qdoGnCaJBk', 'jS9GkhwoHu', 'rxPGMBi0WX', 'c8LGHvgi9H', 'XhIkcytqrs', 'd5Dkhd2tCB', 'h9JkiX4EoC', 'ziwkABAdQ3', 'v3PkXDGW6x'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, hyUOVBe1ZWdha1wZaD.cs High entropy of concatenated method names: 'LyUn8SmLII', 'jxfnQJo71P', 'DTYn9UUcp9', 'bPGnYgBJgt', 'vOancPAkK8', 'VIknhScJ3x', 'Fwnni6G9XV', 'M8MnAara2l', 'uCrnXf754Z', 'GjanqNMkAU'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, IOlxvM446LtJUjmNsy.cs High entropy of concatenated method names: 'tL1pMyUOVB', 'gZWpHdha1w', 'BFkp6BtD5o', 'NCmpT2oMv6', 'ylkpx6sXLS', 'd3OpV5jtst', 'XbSnpPPIF5TmoAVZIX', 'NGfINU8wuxOOokBS4X', 'sXkppkyPYZ', 'WMUpC2bwvR'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, KMv6cONvy6c99alk6s.cs High entropy of concatenated method names: 'p67kPZ6JI8', 'VioksYKdnF', 'D0r1dB79Ga', 'Qmy1y6x5wW', 'ewv1LgXGqT', 'FSD1okqm2Z', 'ebJ10bGLxV', 'xAu1gg9qXI', 'usd13Rf6dW', 'pUu1RRkrrk'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, h2lXrm1Ln8E0TaGMPo.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fa95XURHLa', 'BqR5qX0VOu', 'ruG5zW87XN', 'rC1Cl6qJpE', 'T5nCpeRQ4R', 'R9eC5qfF53', 'lUMCCBaiuT', 'Egqflrjv6adHqw3KMji'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, wXB90Xh1HN6yrjDMQ1.cs High entropy of concatenated method names: 'D0gmAWwSHf', 'MgQmqjcEc5', 'QVMul4KH9H', 'fPmupIOoSp', 'Y3hmth41iW', 'SEpmIJvLHQ', 'Q88mUOFlHv', 'US0m8WRXfY', 'YdXmQk9Duu', 'pHEm9uxpC4'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, SgNYaD3LV8cmdtSDnX.cs High entropy of concatenated method names: 'bFdMWtGWxE', 'b89MaoM6hb', 'XRoMB7ccRl', 'alXM2yv1qA', 'BqkMPJhc1G', 'FQ9MwqHfyG', 'bGkMswvJwh', 'oGUMes59bC', 'xupMfB8ur6', 'QvSMN757x4'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, Hp3PG9AOidGHUBXNgK.cs High entropy of concatenated method names: 'IZNuDgnyvZ', 'V4Funt7SP7', 'Hcpu1Cyu3h', 'brEukoh6uL', 'hdMuG233rp', 'qg8uMgkJQ9', 'x4iuHfpSsn', 'osBuJTqR2U', 'tgKu6FCbPq', 'zExuTmo105'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, kvAMVNXS38qY0xwrDy.cs High entropy of concatenated method names: 'uZ6ubRc4iI', 'GB6ursU8DU', 'EwsudcKLt8', 'mFiuyRCJDv', 'YqVu8EGSQG', 'BAcuLnvCb2', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs High entropy of concatenated method names: 'iDyCZCl2NO', 'EucCDu8ra2', 'wQbCnwR297', 'lUVC1kmXCn', 'sVwCkQKZ4Q', 'VXwCG0QkF1', 'EJrCMxRfMA', 'ghXCHWkixt', 'Me1CJqcd4A', 'exrC6849gM'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, v9itLPURwknRP82u3f.cs High entropy of concatenated method names: 'HcOje7Dib0', 'ahyjfRtSqK', 'VZmjbZ75vw', 'AiajrDyfl6', 'O7GjyCdfkD', 'FK0jLmouh0', 'sWVj0xJL6x', 'VU8jgIgmPv', 'xUtjRAVfkH', 'Essjtq1gGF'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, kKIrOFqfXlJBOvlLF4.cs High entropy of concatenated method names: 'pljKpNl0L0', 'jSRKCM0rWY', 'jI2K4Ki9op', 'sSvKDgEuEJ', 'qmqKnDxpwI', 'I3gKkvF3P2', 'uisKG9jkDJ', 'xrWuifgu1D', 'aQkuAFDOS7', 'AUquXUcsV6'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, tYlXo7plxHHOXyr1xAA.cs High entropy of concatenated method names: 'tYNKWZHBM8', 'CJcKaKAo0A', 'qEDKBRqyRM', 'W1mK2mjv26', 'W0HKPvUmbJ', 'UsBKw38q2D', 'ImoKsKmmJl', 'NhUKePXN2k', 'LHWKf09C0I', 'jQsKNIjt5i'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, zX1E86n7h6RxPR8vj1.cs High entropy of concatenated method names: 'Dispose', 'jeLpXK1jCZ', 'NJl5ryctC9', 'Tv8bbL7yeA', 'brppq3PG9O', 'VdGpzHUBXN', 'ProcessDialogKey', 'MKH5lvAMVN', 'w385pqY0xw', 'GDy55HKIrO'
Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, W1bE9hpCShXBmpV1YBK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OiS78Qta8Z', 'cS57QkVfqq', 'cm479tE9LB', 'TSH7YUf7nB', 'Wws7c9guex', 'bkT7h3Xq1V', 'Jhh7ikHB85'
Source: 0.2.z38PO_20248099-1_pdf.exe.5680000.5.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.z38PO_20248099-1_pdf.exe.5680000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.z38PO_20248099-1_pdf.exe.2bd7f58.1.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.z38PO_20248099-1_pdf.exe.2bd7f58.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, KiELhXYqyrVZFhQm9F.cs High entropy of concatenated method names: 'WQwm6gv9f6', 'XfAmTbGL5G', 'ToString', 'WyPmD9wyUK', 'mvGmn5yPbr', 'QOqm1rPWPD', 'Lcamk37kOf', 'VPNmG6UXO1', 'knPmMWB3Dg', 'siumHKE0rd'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, LosAFPfFkBtD5oRCm2.cs High entropy of concatenated method names: 'OWH12OXe09', 'qwJ1wSdLWf', 'kTi1ef5h1I', 'HRb1f3DrKr', 'ij31x1JdkX', 'qiI1VZrNBo', 'dp31m7Q08Y', 'IXl1u93Ups', 'Xn01Kdfyuh', 'Uts17rW8xu'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, gtyGge5Kctx3uBBAdU.cs High entropy of concatenated method names: 'mmGBqq7aD', 'xLd2PiFJf', 'GvTw2CtOR', 'jHsssupJ7', 'TTnfMPdIK', 'ykcNXXthO', 'AMSX7KVOArCvgFfP8v', 'GaNwl3hpfBQYCPf6eW', 'XmyuHR8tS', 'zUw7mQdp0'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, Btk7iA0RH8qsXNA6XR.cs High entropy of concatenated method names: 'sfDMDZXSRG', 'gG4M1ryWYo', 'J2AMG9Hq8h', 'DVRGqxh6b0', 'iQHGzEuC7h', 'Oa7MliaVfe', 'rKAMpp1CnG', 'NvhM5wW4UV', 'BQrMCVndqT', 'KIkM4j2EFx'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, mIbugt8UBrxYxJw7d9.cs High entropy of concatenated method names: 'e3QxR2LZ5N', 'KWSxIZx8w1', 'a63x83fXoI', 'aJHxQhaEwl', 'OwixrAIPvE', 'TgkxdkNH2D', 'JTsxyQXttN', 'nD9xLkyQmb', 'jrmxoWrl8s', 'yYpx0h2YyJ'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, NQgoNYzj1EmPVwiDCI.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p28Kjp6YnY', 'rqaKxKWW3m', 'j79KVTmwsh', 'pLCKmwjiqT', 'dGfKum3DUr', 'N5aKKee1CP', 'aFlK7L2fQo'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, XLS43Ob5jtstyTsgIa.cs High entropy of concatenated method names: 'rahGZOsbsQ', 'qdoGnCaJBk', 'jS9GkhwoHu', 'rxPGMBi0WX', 'c8LGHvgi9H', 'XhIkcytqrs', 'd5Dkhd2tCB', 'h9JkiX4EoC', 'ziwkABAdQ3', 'v3PkXDGW6x'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, hyUOVBe1ZWdha1wZaD.cs High entropy of concatenated method names: 'LyUn8SmLII', 'jxfnQJo71P', 'DTYn9UUcp9', 'bPGnYgBJgt', 'vOancPAkK8', 'VIknhScJ3x', 'Fwnni6G9XV', 'M8MnAara2l', 'uCrnXf754Z', 'GjanqNMkAU'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, IOlxvM446LtJUjmNsy.cs High entropy of concatenated method names: 'tL1pMyUOVB', 'gZWpHdha1w', 'BFkp6BtD5o', 'NCmpT2oMv6', 'ylkpx6sXLS', 'd3OpV5jtst', 'XbSnpPPIF5TmoAVZIX', 'NGfINU8wuxOOokBS4X', 'sXkppkyPYZ', 'WMUpC2bwvR'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, KMv6cONvy6c99alk6s.cs High entropy of concatenated method names: 'p67kPZ6JI8', 'VioksYKdnF', 'D0r1dB79Ga', 'Qmy1y6x5wW', 'ewv1LgXGqT', 'FSD1okqm2Z', 'ebJ10bGLxV', 'xAu1gg9qXI', 'usd13Rf6dW', 'pUu1RRkrrk'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, h2lXrm1Ln8E0TaGMPo.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fa95XURHLa', 'BqR5qX0VOu', 'ruG5zW87XN', 'rC1Cl6qJpE', 'T5nCpeRQ4R', 'R9eC5qfF53', 'lUMCCBaiuT', 'Egqflrjv6adHqw3KMji'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, wXB90Xh1HN6yrjDMQ1.cs High entropy of concatenated method names: 'D0gmAWwSHf', 'MgQmqjcEc5', 'QVMul4KH9H', 'fPmupIOoSp', 'Y3hmth41iW', 'SEpmIJvLHQ', 'Q88mUOFlHv', 'US0m8WRXfY', 'YdXmQk9Duu', 'pHEm9uxpC4'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, SgNYaD3LV8cmdtSDnX.cs High entropy of concatenated method names: 'bFdMWtGWxE', 'b89MaoM6hb', 'XRoMB7ccRl', 'alXM2yv1qA', 'BqkMPJhc1G', 'FQ9MwqHfyG', 'bGkMswvJwh', 'oGUMes59bC', 'xupMfB8ur6', 'QvSMN757x4'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, Hp3PG9AOidGHUBXNgK.cs High entropy of concatenated method names: 'IZNuDgnyvZ', 'V4Funt7SP7', 'Hcpu1Cyu3h', 'brEukoh6uL', 'hdMuG233rp', 'qg8uMgkJQ9', 'x4iuHfpSsn', 'osBuJTqR2U', 'tgKu6FCbPq', 'zExuTmo105'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, kvAMVNXS38qY0xwrDy.cs High entropy of concatenated method names: 'uZ6ubRc4iI', 'GB6ursU8DU', 'EwsudcKLt8', 'mFiuyRCJDv', 'YqVu8EGSQG', 'BAcuLnvCb2', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs High entropy of concatenated method names: 'iDyCZCl2NO', 'EucCDu8ra2', 'wQbCnwR297', 'lUVC1kmXCn', 'sVwCkQKZ4Q', 'VXwCG0QkF1', 'EJrCMxRfMA', 'ghXCHWkixt', 'Me1CJqcd4A', 'exrC6849gM'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, v9itLPURwknRP82u3f.cs High entropy of concatenated method names: 'HcOje7Dib0', 'ahyjfRtSqK', 'VZmjbZ75vw', 'AiajrDyfl6', 'O7GjyCdfkD', 'FK0jLmouh0', 'sWVj0xJL6x', 'VU8jgIgmPv', 'xUtjRAVfkH', 'Essjtq1gGF'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, kKIrOFqfXlJBOvlLF4.cs High entropy of concatenated method names: 'pljKpNl0L0', 'jSRKCM0rWY', 'jI2K4Ki9op', 'sSvKDgEuEJ', 'qmqKnDxpwI', 'I3gKkvF3P2', 'uisKG9jkDJ', 'xrWuifgu1D', 'aQkuAFDOS7', 'AUquXUcsV6'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, tYlXo7plxHHOXyr1xAA.cs High entropy of concatenated method names: 'tYNKWZHBM8', 'CJcKaKAo0A', 'qEDKBRqyRM', 'W1mK2mjv26', 'W0HKPvUmbJ', 'UsBKw38q2D', 'ImoKsKmmJl', 'NhUKePXN2k', 'LHWKf09C0I', 'jQsKNIjt5i'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, zX1E86n7h6RxPR8vj1.cs High entropy of concatenated method names: 'Dispose', 'jeLpXK1jCZ', 'NJl5ryctC9', 'Tv8bbL7yeA', 'brppq3PG9O', 'VdGpzHUBXN', 'ProcessDialogKey', 'MKH5lvAMVN', 'w385pqY0xw', 'GDy55HKIrO'
Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, W1bE9hpCShXBmpV1YBK.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OiS78Qta8Z', 'cS57QkVfqq', 'cm479tE9LB', 'TSH7YUf7nB', 'Wws7c9guex', 'bkT7h3Xq1V', 'Jhh7ikHB85'
Drops PE files
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Jump to dropped file
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp"
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe File opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 1792, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 2BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 28F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 77B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 87B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 8950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 9950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: 4840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 1450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 2F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 4F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 7940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 8940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 8AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 9AE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 31D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 3350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Memory allocated: 5350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 1700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 3260000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 5260000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 7B00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 8B00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 8C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 9C90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 3020000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 3070000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 5070000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: BF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 25C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 24F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 7030000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 8030000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 81D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 91D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 1510000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 3040000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory allocated: 5040000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599859 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599743 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599625 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599515 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598963 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598733 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598462 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598013 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597012 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596273 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596042 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595679 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595534 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595418 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595294 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595152 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594593 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594375 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594265 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594156 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594046 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 593936 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 593812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599561
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599449
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598576
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598318
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598134
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598002
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597775
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597168
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596952
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596595
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596122
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595568
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594729
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594511
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594406
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594297
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594187
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594073
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593953
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593843
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593734
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593625
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593515
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593402
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593297
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593187
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599529
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598155
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598008
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596094
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595869
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595608
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595500
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595371
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595151
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594813
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594200
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594092
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 593982
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 593874
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595675
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595339
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 593985
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3603 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4600 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 387 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Window / User API: threadDelayed 5638 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Window / User API: threadDelayed 4186 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Window / User API: threadDelayed 3490
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Window / User API: threadDelayed 6360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 4235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 5217
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 3595
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Window / User API: threadDelayed 6197
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7664 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599743s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598963s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598462s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -598013s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -597012s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596273s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -596042s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -595890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -595679s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -595534s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -595418s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -595294s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -595152s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -594046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -593936s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056 Thread sleep time: -593812s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 6172 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599561s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599449s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599234s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599125s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598906s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598797s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598576s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598469s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598318s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598134s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -598002s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -597890s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -597775s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -597672s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -597168s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -597062s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596952s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596843s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596595s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596469s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596344s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596234s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596122s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -595797s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -595568s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -594729s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -594625s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -594511s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -594406s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -594297s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -594187s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -594073s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593953s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593843s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593734s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593625s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593515s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593402s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593297s >= -30000s
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592 Thread sleep time: -593187s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 1832 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7784 Thread sleep count: 4235 > 30
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7784 Thread sleep count: 5217 > 30
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599529s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598719s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598484s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598375s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598155s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -598008s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597688s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597563s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597438s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597219s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -597094s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596875s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596766s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -596094s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -595984s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -595869s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -595719s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -595608s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -595500s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -595371s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -595151s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594813s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594547s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594437s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594200s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -594092s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -593982s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240 Thread sleep time: -593874s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3972 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599641s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599516s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599406s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599297s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598719s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598485s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595675s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595339s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -594110s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096 Thread sleep time: -593985s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599859 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599743 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599625 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599515 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598963 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598733 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598462 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 598013 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 597012 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596273 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 596042 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595679 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595534 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595418 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595294 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595152 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594593 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594375 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594265 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594156 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 594046 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 593936 Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Thread delayed: delay time: 593812 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599561
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599449
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599234
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599125
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598906
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598797
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598576
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598318
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598134
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 598002
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597890
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597775
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597672
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597168
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596952
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596595
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596469
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596122
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595797
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 595568
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594729
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594511
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594406
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594297
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594187
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 594073
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593953
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593843
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593734
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593625
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593515
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593402
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593297
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Thread delayed: delay time: 593187
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599529
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598484
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598155
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598008
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597563
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597438
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597094
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596094
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595984
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595869
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595719
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595608
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595500
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595371
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595151
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594813
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594200
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594092
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 593982
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 593874
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599641
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599406
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599297
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598719
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595675
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595339
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 594110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Thread delayed: delay time: 593985
Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3854506593.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3855064839.00000000016D6000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1618746266.00000000014AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sgxIb.exe, 00000018.00000002.3855625299.00000000013B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Memory written: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Memory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Process created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Process created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 8096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FrFvspxoHsPs.exe PID: 764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 3236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 4216, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 8096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FrFvspxoHsPs.exe PID: 764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 3236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 4216, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 8096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FrFvspxoHsPs.exe PID: 764, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 3236, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sgxIb.exe PID: 4216, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518233 Sample: z38PO_20248099-1_pdf.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 65 ftp.haliza.com.my 2->65 67 api.ipify.org 2->67 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 11 other signatures 2->79 8 z38PO_20248099-1_pdf.exe 7 2->8         started        12 FrFvspxoHsPs.exe 5 2->12         started        14 sgxIb.exe 2->14         started        16 sgxIb.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\FrFvspxoHsPs.exe, PE32 8->57 dropped 59 C:\Users\...\FrFvspxoHsPs.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\...\tmpD40B.tmp, XML 8->61 dropped 63 C:\Users\...\z38PO_20248099-1_pdf.exe.log, ASCII 8->63 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 8->97 99 Adds a directory exclusion to Windows Defender 8->99 18 z38PO_20248099-1_pdf.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        37 3 other processes 8->37 101 Multi AV Scanner detection for dropped file 12->101 103 Machine Learning detection for dropped file 12->103 25 FrFvspxoHsPs.exe 12->25         started        27 schtasks.exe 12->27         started        105 Injects a PE file into a foreign processes 14->105 29 sgxIb.exe 14->29         started        31 schtasks.exe 14->31         started        33 sgxIb.exe 16->33         started        35 schtasks.exe 16->35         started        signatures6 process7 dnsIp8 69 ftp.haliza.com.my 110.4.45.197, 21, 49711, 49712 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 18->69 71 api.ipify.org 172.67.74.152, 443, 49709, 49714 CLOUDFLARENETUS United States 18->71 53 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 18->53 dropped 55 C:\Users\user\...\sgxIb.exe:Zone.Identifier, ASCII 18->55 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->81 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 87 Loading BitLocker PowerShell Module 23->87 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 27->43         started        89 Tries to harvest and steal ftp login credentials 29->89 91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 93 Installs a global keyboard hook 29->93 45 conhost.exe 31->45         started        47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.4.45.197
 ftp.haliza.com.my Malaysia
46015 EXABYTES-AS-APExaBytesNetworkSdnBhdMY true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true
ftp.haliza.com.my 110.4.45.197 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown