Windows Analysis Report
PO# EB202329720241007_Hardy_Process^^^^.pif.exe

Overview

General Information

Sample name: PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Analysis ID: 1528611
MD5: 6145c8269f1675712b844d8ac1980287
SHA1: 7f37641603386f8b96edcf91a4d32d3f4a5d40cd
SHA256: 93548239884f6d9f3ea7240dbf34beaa81bcd4f3c122454e81d9e1e433c804f0
Tags: exeuser-threatcat_ch
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Obfuscated command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: cdn.glitch.global Virustotal: Detection: 5% Perma Link
Source: https://cdn.glitch.global Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\wpappx.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\wpappx.exe Virustotal: Detection: 33% Perma Link
Multi AV Scanner detection for submitted file
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe ReversingLabs: Detection: 34%
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Virustotal: Detection: 33% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\wpappx.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05D9D3D0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05EB1A78
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05EB1A70
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then jmp 05EF5973h 0_2_05EF55E0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then jmp 05EF5973h 0_2_05EF55D1
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then jmp 05EFD510h 0_2_05EFD458
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then jmp 05EFD510h 0_2_05EFD450
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then jmp 05EF61A9h 0_2_05EF6148
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 4x nop then jmp 05EF61A9h 0_2_05EF6336
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 4_2_0643D3D0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 4_2_06551A70
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 4_2_06551A78
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 0659D510h 4_2_0659D458
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 0659D510h 4_2_0659D450
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 06595973h 4_2_065955D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 06595973h 4_2_065955E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 065961A9h 4_2_06596336
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 065961A9h 4_2_06596148
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 065961A9h 4_2_06596138
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 7_2_0602D3D0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_06141A70
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_06141A78
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 0618D510h 7_2_0618D458
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 0618D510h 7_2_0618D450
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 06185973h 7_2_061855D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 06185973h 7_2_061855E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 061861A9h 7_2_06186336
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 061861A9h 7_2_06186138
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4x nop then jmp 061861A9h 7_2_06186148

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:49747 -> 89.238.176.5:50600
Source: Network traffic Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:49739 -> 89.238.176.5:50600
Source: Network traffic Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:49879 -> 89.238.176.5:50600
Source: Network traffic Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:50010 -> 89.238.176.5:50600
Source: Network traffic Suricata IDS: 2857345 - Severity 1 - ETPRO MALWARE Win32/zgRAT CnC Checkin : 192.168.2.4:50011 -> 89.238.176.5:50600
Uses dynamic DNS services
Source: unknown DNS query: name: puritylgs.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49739 -> 89.238.176.5:50600
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: cdn.glitch.global
Source: global traffic DNS traffic detected: DNS query: puritylgs.duckdns.org
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.glitch.global
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.glitch.global/65e86a4d-1443-41a6-ac6d-f084c1191eff/Vyciz.mp4xC
Source: wpappx.exe, 00000004.00000002.2048461368.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.glitch.global/65e86a4d-1443-41a6-ac6d-f084c1191eff/Vyciz.mp4xC&
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003DFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1807903081.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.1817667483.0000000004094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2048461368.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2140570961.0000000003C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000007.00000002.2125157304.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2065435853.000000000456D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB0C28 NtWriteVirtualMemory, 0_2_05EB0C28
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB08E0 NtAllocateVirtualMemory, 0_2_05EB08E0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB0A58 NtCreateThreadEx, 0_2_05EB0A58
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB0C21 NtWriteVirtualMemory, 0_2_05EB0C21
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB08D8 NtAllocateVirtualMemory, 0_2_05EB08D8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB0A50 NtCreateThreadEx, 0_2_05EB0A50
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFECF0 NtProtectVirtualMemory, 0_2_05EFECF0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFECE8 NtProtectVirtualMemory, 0_2_05EFECE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06550C28 NtWriteVirtualMemory, 4_2_06550C28
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06550A58 NtCreateThreadEx, 4_2_06550A58
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_065508E0 NtAllocateVirtualMemory, 4_2_065508E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06550C21 NtWriteVirtualMemory, 4_2_06550C21
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06550A50 NtCreateThreadEx, 4_2_06550A50
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_065508D8 NtAllocateVirtualMemory, 4_2_065508D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659ECF0 NtProtectVirtualMemory, 4_2_0659ECF0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659ECE8 NtProtectVirtualMemory, 4_2_0659ECE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06140C28 NtWriteVirtualMemory, 7_2_06140C28
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06140A58 NtCreateThreadEx, 7_2_06140A58
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_061408E0 NtAllocateVirtualMemory, 7_2_061408E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06140C21 NtWriteVirtualMemory, 7_2_06140C21
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06140A50 NtCreateThreadEx, 7_2_06140A50
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_061408D8 NtAllocateVirtualMemory, 7_2_061408D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618ECF0 NtProtectVirtualMemory, 7_2_0618ECF0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618ECE8 NtProtectVirtualMemory, 7_2_0618ECE8
Detected potential crypto function
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027CC164 0_2_027CC164
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C159C 0_2_027C159C
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C8A90 0_2_027C8A90
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C09B8 0_2_027C09B8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C1EE0 0_2_027C1EE0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C0C98 0_2_027C0C98
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027CAD67 0_2_027CAD67
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C2218 0_2_027C2218
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C52A0 0_2_027C52A0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C43F8 0_2_027C43F8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C50C5 0_2_027C50C5
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C169A 0_2_027C169A
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C4408 0_2_027C4408
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C8A80 0_2_027C8A80
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C4FED 0_2_027C4FED
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C1F91 0_2_027C1F91
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027CDC70 0_2_027CDC70
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027CDC60 0_2_027CDC60
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C0CD2 0_2_027C0CD2
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C0C89 0_2_027C0C89
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_027C0D49 0_2_027C0D49
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D36CC0 0_2_05D36CC0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D36CBB 0_2_05D36CBB
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D3579B 0_2_05D3579B
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D357A0 0_2_05D357A0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D30040 0_2_05D30040
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D3003B 0_2_05D3003B
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D3724F 0_2_05D3724F
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D9E8D8 0_2_05D9E8D8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D90040 0_2_05D90040
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D90007 0_2_05D90007
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EA212F 0_2_05EA212F
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EA5B50 0_2_05EA5B50
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EA2467 0_2_05EA2467
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EA3748 0_2_05EA3748
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EBC458 0_2_05EBC458
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB2688 0_2_05EB2688
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EBC44B 0_2_05EBC44B
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EBD6C7 0_2_05EBD6C7
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EBD6D8 0_2_05EBD6D8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EB267A 0_2_05EB267A
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFA140 0_2_05EFA140
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFBB88 0_2_05EFBB88
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFEA50 0_2_05EFEA50
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EF9A18 0_2_05EF9A18
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EF9D6D 0_2_05EF9D6D
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFAFA0 0_2_05EFAFA0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFAF90 0_2_05EFAF90
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFC840 0_2_05EFC840
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFBB78 0_2_05EFBB78
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EFEA40 0_2_05EFEA40
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05EF9A09 0_2_05EF9A09
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_060C0719 0_2_060C0719
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_060C0728 0_2_060C0728
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_060C0138 0_2_060C0138
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_060C0148 0_2_060C0148
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_0614E9C0 0_2_0614E9C0
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_0614CAE8 0_2_0614CAE8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_06130006 0_2_06130006
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_06130040 0_2_06130040
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_0614F878 0_2_0614F878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00BEA454 1_2_00BEA454
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014AC164 4_2_014AC164
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A159C 4_2_014A159C
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A09B8 4_2_014A09B8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A8A90 4_2_014A8A90
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014AAD67 4_2_014AAD67
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A0C98 4_2_014A0C98
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A1EE0 4_2_014A1EE0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A43F8 4_2_014A43F8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A2218 4_2_014A2218
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A52A0 4_2_014A52A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A4408 4_2_014A4408
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A169A 4_2_014A169A
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A8A80 4_2_014A8A80
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A0D49 4_2_014A0D49
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014ADC60 4_2_014ADC60
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014ADC70 4_2_014ADC70
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A0CD2 4_2_014A0CD2
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A0C89 4_2_014A0C89
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_014A1F91 4_2_014A1F91
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06320001 4_2_06320001
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D6CC0 4_2_063D6CC0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D7247 4_2_063D7247
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D57A0 4_2_063D57A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D5790 4_2_063D5790
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D001E 4_2_063D001E
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D0040 4_2_063D0040
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D6CB1 4_2_063D6CB1
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D65F0 4_2_063D65F0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063D69F0 4_2_063D69F0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06430040 4_2_06430040
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06430006 4_2_06430006
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0643E8D8 4_2_0643E8D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0654212F 4_2_0654212F
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06543748 4_2_06543748
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06542467 4_2_06542467
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06552688 4_2_06552688
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655B5E0 4_2_0655B5E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655267A 4_2_0655267A
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655C458 4_2_0655C458
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655C448 4_2_0655C448
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655B5D1 4_2_0655B5D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655F210 4_2_0655F210
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655F201 4_2_0655F201
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655F800 4_2_0655F800
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0655F802 4_2_0655F802
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659EA50 4_2_0659EA50
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06599A18 4_2_06599A18
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659BB88 4_2_0659BB88
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659A140 4_2_0659A140
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659AF90 4_2_0659AF90
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659AFA0 4_2_0659AFA0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06599D6D 4_2_06599D6D
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659EA40 4_2_0659EA40
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06599A09 4_2_06599A09
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659BB78 4_2_0659BB78
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_065923D8 4_2_065923D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659C840 4_2_0659C840
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06591118 4_2_06591118
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067EE9C0 4_2_067EE9C0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067ECAE8 4_2_067ECAE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067EF878 4_2_067EF878
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067D0040 4_2_067D0040
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067D0007 4_2_067D0007
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028DC164 7_2_028DC164
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D159C 7_2_028D159C
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D8A90 7_2_028D8A90
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D09B8 7_2_028D09B8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D1EE0 7_2_028D1EE0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D0C98 7_2_028D0C98
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028DAD67 7_2_028DAD67
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D52A0 7_2_028D52A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D2218 7_2_028D2218
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D43F8 7_2_028D43F8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D169A 7_2_028D169A
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D4408 7_2_028D4408
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D1F91 7_2_028D1F91
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D0C89 7_2_028D0C89
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D0CD2 7_2_028D0CD2
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028DDC60 7_2_028DDC60
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028DDC70 7_2_028DDC70
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_028D0D49 7_2_028D0D49
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FC6CC0 7_2_05FC6CC0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FC57A0 7_2_05FC57A0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FC6CB1 7_2_05FC6CB1
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FC0040 7_2_05FC0040
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FC0006 7_2_05FC0006
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FC5790 7_2_05FC5790
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FC7247 7_2_05FC7247
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06020006 7_2_06020006
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06020040 7_2_06020040
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0602E8D8 7_2_0602E8D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0613212F 7_2_0613212F
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06133748 7_2_06133748
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06132467 7_2_06132467
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06142688 7_2_06142688
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614B5E0 7_2_0614B5E0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614267A 7_2_0614267A
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614C458 7_2_0614C458
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614C448 7_2_0614C448
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614B5D1 7_2_0614B5D1
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614F210 7_2_0614F210
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614F201 7_2_0614F201
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614F800 7_2_0614F800
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0614F802 7_2_0614F802
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06189A18 7_2_06189A18
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618EA50 7_2_0618EA50
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618BB88 7_2_0618BB88
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618A140 7_2_0618A140
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618AF93 7_2_0618AF93
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618AFA0 7_2_0618AFA0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06189D6D 7_2_06189D6D
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_06189A09 7_2_06189A09
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618EA40 7_2_0618EA40
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618BB78 7_2_0618BB78
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_061823D8 7_2_061823D8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618C840 7_2_0618C840
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063DF878 7_2_063DF878
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063DE9C0 7_2_063DE9C0
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063DCAE8 7_2_063DCAE8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063C0006 7_2_063C0006
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063C0040 7_2_063C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A92B88 8_2_02A92B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A938D0 8_2_02A938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A97040 8_2_02A97040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94AB6 8_2_02A94AB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94A80 8_2_02A94A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94A9D 8_2_02A94A9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A92AF1 8_2_02A92AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94A34 8_2_02A94A34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94A07 8_2_02A94A07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94A1A 8_2_02A94A1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A93A15 8_2_02A93A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94A69 8_2_02A94A69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A94A50 8_2_02A94A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A92B88 8_2_02A92B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A938D0 8_2_02A938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A949F2 8_2_02A949F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A9395D 8_2_02A9395D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A93EBD 8_2_02A93EBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A93E87 8_2_02A93E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A93690 8_2_02A93690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A9560E 8_2_02A9560E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A93FD0 8_2_02A93FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05064DB0 8_2_05064DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050695B8 8_2_050695B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05068D31 8_2_05068D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05068D6F 8_2_05068D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05068D80 8_2_05068D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05064DA0 8_2_05064DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050695A8 8_2_050695A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05068F0F 8_2_05068F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050696EF 8_2_050696EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_05064B91 8_2_05064B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050B1020 8_2_050B1020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050B20C8 8_2_050B20C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050B1357 8_2_050B1357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050E39F1 8_2_050E39F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050E1C38 8_2_050E1C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050FEEC8 8_2_050FEEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050F62B0 8_2_050F62B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_050F68F0 8_2_050F68F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C7040 10_2_053C7040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C38D0 10_2_053C38D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C2B88 10_2_053C2B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C3FD0 10_2_053C3FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C3EBD 10_2_053C3EBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C3E87 10_2_053C3E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C395D 10_2_053C395D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C7039 10_2_053C7039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C2B78 10_2_053C2B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C38D0 10_2_053C38D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C2B88 10_2_053C2B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_053C3A15 10_2_053C3A15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_056D68E0 10_2_056D68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_056D68F0 10_2_056D68F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_056D60B9 10_2_056D60B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_056D5AD0 10_2_056D5AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_056D5AD0 10_2_056D5AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_056D62B0 10_2_056D62B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05754DB0 10_2_05754DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_057595B8 10_2_057595B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05758D6F 10_2_05758D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05758D31 10_2_05758D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05754DA0 10_2_05754DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_057595A8 10_2_057595A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05758D80 10_2_05758D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05758F0F 10_2_05758F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_057596EF 10_2_057596EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05754B87 10_2_05754B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_057F1020 10_2_057F1020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_057F20C8 10_2_057F20C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_057F1357 10_2_057F1357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 10_2_05821C38 10_2_05821C38
Sample file is different than original file name gathered from version info
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000000.1670102950.00000000004C2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1822347169.000000000591A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807147952.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Binary or memory string: OriginalFilenamePO# EB202329720241007_Hardy_Process^^^^.exep( vs PO# EB202329720241007_Hardy_Process^^^^.pif.exe
Uses 32bit PE files
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1807903081.0000000002F87000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000001.00000002.1814780379.0000000000B60000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.1817667483.0000000004094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2048461368.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2140570961.0000000003C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000007.00000002.2125157304.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2065435853.000000000456D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/3@3/1
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe File created: C:\Users\user\AppData\Roaming\wpappx.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\16904c6276731aa3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe ReversingLabs: Detection: 34%
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe File read: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe"
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\wpappx.exe "C:\Users\user\AppData\Roaming\wpappx.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\wpappx.exe "C:\Users\user\AppData\Roaming\wpappx.exe"
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1825930591.0000000005F70000.00000004.08000000.00040000.00000000.sdmp, PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1817667483.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.0000000003FFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000003230000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2140570961.0000000003EFC000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1824377543.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, wpappx.exe, 00000004.00000002.2065435853.00000000041BE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003FE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2435244126.0000000003F6E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, --.cs .Net Code: _0003 System.AppDomain.Load(byte[])
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.3b0c030.3.raw.unpack, --.cs .Net Code: _0003 System.AppDomain.Load(byte[])
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5d40000.6.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5f70000.8.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Obfuscated command line found
Source: unknown Process created: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe "C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe"
Yara detected Costura Assembly Loader
Source: Yara match File source: 10.2.InstallUtil.exe.41544e8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.InstallUtil.exe.5770000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.3d444e8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.5da0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2446396240.0000000005770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2435244126.000000000412C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1824668881.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2928192880.0000000003D44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2048461368.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1807903081.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO# EB202329720241007_Hardy_Process^^^^.pif.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7136, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wpappx.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wpappx.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6752, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 1104, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05C82EA7 push esp; retf 0_2_05C82EA8
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D3D1D7 pushfd ; ret 0_2_05D3D1E9
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D3234B pushfd ; retf 0_2_05D32351
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_05D9A291 push eax; ret 0_2_05D9A294
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_06131860 push eax; ret 0_2_06131861
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_0613714C push cs; ret 0_2_0613714F
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Code function: 0_2_061331B0 push edx; iretd 0_2_061331B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B60175 push ecx; retf 1_2_00B60176
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_06322EA7 push esp; retf 4_2_06322EA8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_063DD1D6 pushfd ; ret 4_2_063DD1E9
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0643A291 push eax; ret 4_2_0643A294
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_065418B0 push es; ret 4_2_06541960
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0654F9F0 push es; ret 4_2_0654FA00
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659B779 push es; ret 4_2_0659B7A4
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659CF96 push es; iretd 4_2_0659CF98
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_0659E136 push es; iretd 4_2_0659E174
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067D1860 push eax; ret 4_2_067D1861
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067D714C push cs; ret 4_2_067D714F
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 4_2_067D31B0 push edx; iretd 4_2_067D31B7
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05F12EA7 push esp; retf 7_2_05F12EA8
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_05FCD1D6 pushfd ; ret 7_2_05FCD1E9
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0602A291 push eax; ret 7_2_0602A294
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_061318B0 push es; ret 7_2_06131960
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0613F9F0 push es; ret 7_2_0613FA00
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618B779 push es; ret 7_2_0618B7A4
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_0618CF97 push es; iretd 7_2_0618CF98
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063C1860 push eax; ret 7_2_063C1861
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063C714C push cs; ret 7_2_063C714F
Source: C:\Users\user\AppData\Roaming\wpappx.exe Code function: 7_2_063C31B0 push edx; iretd 7_2_063C31B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A918E7 push eax; retf 8_2_02A918ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02A931B5 push 63E803ACh; iretd 8_2_02A931BA
Source: 0.2.PO# EB202329720241007_Hardy_Process^^^^.pif.exe.59b0000.5.raw.unpack, lQLmXMbHl8njJme4f0k.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'zFfbkJquEn', 'NtProtectVirtualMemory', 'Ihel4LWr9OlsDUXcCTi', 'DXLNrhWfGTQi3CMsqcC', 'GfcVLgWWi3LHIkuvgCg', 'vt335oW6qAJUHkS11q6'
Drops PE files
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe File created: C:\Users\user\AppData\Roaming\wpappx.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wpappx Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wpappx Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO# EB202329720241007_Hardy_Process^^^^.pif.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wpappx.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wpappx.exe PID: 3052, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807903081.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000004.00000002.2048461368.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Memory allocated: 2780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Memory allocated: 29F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Memory allocated: 27F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1100000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory allocated: 1400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory allocated: 1400000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory allocated: 28D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory allocated: 2B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 27C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 27C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2ED0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4ED0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2026 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7830 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5740 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3804 Thread sleep count: 2026 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3804 Thread sleep count: 7830 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5928 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 0VMware|VIRTUAL|A M I|Xen4win32_process.handle='{0}'
Source: wpappx.exe, 00000007.00000002.2125157304.0000000002B91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000008.00000002.2922615312.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 0000000A.00000002.2430967730.0000000002F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: PO# EB202329720241007_Hardy_Process^^^^.pif.exe, 00000000.00000002.1807147952.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: InstallUtil.exe, 00000001.00000002.1817174501.0000000003FD0000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1817174501.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2444965514.0000000005510000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: qQXKlhGqeMuRaBW9e5O
Source: wpappx.exe, 00000004.00000002.2044541117.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, wpappx.exe, 00000007.00000002.2123213483.0000000000D27000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2919734175.0000000000C41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D00000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Thread created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe EIP: B60000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Thread created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe EIP: 700000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Thread created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe EIP: D00000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B60000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Queries volume information: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Queries volume information: C:\Users\user\AppData\Roaming\wpappx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Queries volume information: C:\Users\user\AppData\Roaming\wpappx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wpappx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO# EB202329720241007_Hardy_Process^^^^.pif.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528611 Sample: PO# EB202329720241007_Hardy... Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 35 puritylgs.duckdns.org 2->35 37 cdn.glitch.global 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Suricata IDS alerts for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 47 8 other signatures 2->47 8 wpappx.exe 14 2 2->8         started        11 PO# EB202329720241007_Hardy_Process^^^^.pif.exe 16 4 2->11         started        14 wpappx.exe 2 2->14         started        signatures3 45 Uses dynamic DNS services 35->45 process4 file5 49 Multi AV Scanner detection for dropped file 8->49 51 Machine Learning detection for dropped file 8->51 53 Writes to foreign memory regions 8->53 16 InstallUtil.exe 3 8->16         started        29 C:\Users\user\AppData\Roaming\wpappx.exe, PE32 11->29 dropped 31 C:\Users\user\...\wpappx.exe:Zone.Identifier, ASCII 11->31 dropped 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->55 57 Creates a thread in another existing process (thread injection) 11->57 19 InstallUtil.exe 4 11->19         started        59 Allocates memory in foreign processes 14->59 21 InstallUtil.exe 14->21         started        signatures6 process7 dnsIp8 33 puritylgs.duckdns.org 89.238.176.5, 49739, 49747, 49879 M247GB United Kingdom 16->33 23 conhost.exe 16->23         started        25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.238.176.5
 puritylgs.duckdns.org United Kingdom
9009 M247GB true

Contacted Domains

Name IP Active
puritylgs.duckdns.org 89.238.176.5 true
cdn.glitch.global unknown unknown