Windows Analysis Report
Kayla Dennis CV.exe

Overview

General Information

Sample name: Kayla Dennis CV.exe
Analysis ID: 1557909
MD5: 8f6d690e119684b1629d41f97b83fb23
SHA1: 46efdb7ae7079a781723d75e390431aa4c6080e5
SHA256: c997ad9cac5cb1cfc050a066e275aae6a540443075b2641ca19331b3f065ee29
Tags: exeuser-abuse_ch
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7253575935:AAEoCGpTh1d2VtErBVh5tHQuO4O_SZJWbQk/sendMessage?chat_id=6246770128", "Token": "7253575935:AAEoCGpTh1d2VtErBVh5tHQuO4O_SZJWbQk", "Chat_id": "6246770128\n", "Version": "5.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe ReversingLabs: Detection: 29%
Multi AV Scanner detection for submitted file
Source: Kayla Dennis CV.exe ReversingLabs: Detection: 29%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Kayla Dennis CV.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Kayla Dennis CV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49725 version: TLS 1.0
Source: Kayla Dennis CV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 4x nop then jmp 0B1D0BD6h 0_2_0B1D046F
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 4x nop then jmp 0799FCC6h 12_2_0799F55F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05632819h 17_2_05632568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05633640h 17_2_0563356E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563D801h 17_2_0563D558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05631F59h 17_2_05631CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563F211h 17_2_0563EF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563E0B1h 17_2_0563DE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563E961h 17_2_0563E6B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563D3A9h 17_2_0563D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 056323B9h 17_2_05632108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05633640h 17_2_056331F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05632C79h 17_2_056329C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563DC59h 17_2_0563D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 17_2_05630040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05631AF9h 17_2_05631848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563FAC1h 17_2_0563F818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05630D0Eh 17_2_05630B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05631698h 17_2_05630B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563EDB9h 17_2_0563EB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563F669h 17_2_0563F3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0563E509h 17_2_0563E260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05633640h 17_2_05633228

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49748 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49733 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49732 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49726 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49773 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49796 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49725 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003090000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003165000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RegSvcs.exe, 0000000B.00000002.3296169497.0000000006600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microHy1s.
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: Kayla Dennis CV.exe, 00000000.00000002.2131860326.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, lyKbfEsVYfQfU.exe, 0000000C.00000002.2224356364.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: RegSvcs.exe, 0000000B.00000002.3288992952.000000000313C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003158000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003185000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.000000000314A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002C06000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187$
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: Kayla Dennis CV.exe, lyKbfEsVYfQfU.exe.0.dr String found in binary or memory: https://www.google.com/#q=
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D716F8 0_2_07D716F8
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D716E7 0_2_07D716E7
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D7A3CB 0_2_07D7A3CB
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D73033 0_2_07D73033
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D79FA0 0_2_07D79FA0
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D7BEE8 0_2_07D7BEE8
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D7AC48 0_2_07D7AC48
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D7A810 0_2_07D7A810
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D7A800 0_2_07D7A800
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_0B1D1F58 0_2_0B1D1F58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F6108 11_2_012F6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012FC198 11_2_012FC198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012FC470 11_2_012FC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012FB4A0 11_2_012FB4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F6730 11_2_012F6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012FC754 11_2_012FC754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F9858 11_2_012F9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012FBBDC 11_2_012FBBDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012FCA34 11_2_012FCA34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F4AD9 11_2_012F4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012FBEB0 11_2_012FBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F3578 11_2_012F3578
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_079916F8 12_2_079916F8
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_079916E7 12_2_079916E7
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_0799A3CA 12_2_0799A3CA
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_07993033 12_2_07993033
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_07999EC8 12_2_07999EC8
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_0799BEE8 12_2_0799BEE8
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_0799AC48 12_2_0799AC48
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_0799A810 12_2_0799A810
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_0799A800 12_2_0799A800
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_0B030FC7 12_2_0B030FC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01016108 17_2_01016108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101C190 17_2_0101C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101B328 17_2_0101B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101C470 17_2_0101C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01016730 17_2_01016730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101C751 17_2_0101C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01019858 17_2_01019858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101BBD2 17_2_0101BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101CA31 17_2_0101CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01014AD9 17_2_01014AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101BEB0 17_2_0101BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01013570 17_2_01013570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0101B4F3 17_2_0101B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05635488 17_2_05635488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_056399A8 17_2_056399A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563A0D0 17_2_0563A0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05632568 17_2_05632568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563D548 17_2_0563D548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563D558 17_2_0563D558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05632558 17_2_05632558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563DDF9 17_2_0563DDF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05635478 17_2_05635478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05631CA8 17_2_05631CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05631C99 17_2_05631C99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563EF68 17_2_0563EF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563EF58 17_2_0563EF58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05638FF0 17_2_05638FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05639788 17_2_05639788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563DE08 17_2_0563DE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563E6A8 17_2_0563E6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563E6B8 17_2_0563E6B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563D100 17_2_0563D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05632108 17_2_05632108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_056329C8 17_2_056329C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563D9A1 17_2_0563D9A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563D9B0 17_2_0563D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_056329B8 17_2_056329B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563A076 17_2_0563A076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05630040 17_2_05630040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05631848 17_2_05631848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05631838 17_2_05631838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05639000 17_2_05639000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05630007 17_2_05630007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563F80A 17_2_0563F80A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563F818 17_2_0563F818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563D0EF 17_2_0563D0EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_056320F9 17_2_056320F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05630B30 17_2_05630B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563EB02 17_2_0563EB02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563EB10 17_2_0563EB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_05630B1F 17_2_05630B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563F3C0 17_2_0563F3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563F3B1 17_2_0563F3B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563E260 17_2_0563E260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563E250 17_2_0563E250
PE / OLE file has an invalid certificate
Source: Kayla Dennis CV.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Kayla Dennis CV.exe, 00000000.00000002.2131860326.0000000003421000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004632000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2141144044.00000000068F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2142467699.00000000084F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe, 00000000.00000002.2126394487.000000000160E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Kayla Dennis CV.exe
Source: Kayla Dennis CV.exe Binary or memory string: OriginalFilenameXDRa.exe: vs Kayla Dennis CV.exe
Uses 32bit PE files
Source: Kayla Dennis CV.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Kayla Dennis CV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lyKbfEsVYfQfU.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, -j--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, -j--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, -j--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, -j--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, --.cs Base64 encoded string: 'L/R25pD93jLO+3E3+VbbruzFB+w8ATIgUswH8PVgmZqSxh5DvX1ttLV5ijFT/hS2'
Source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, --.cs Base64 encoded string: 'L/R25pD93jLO+3E3+VbbruzFB+w8ATIgUswH8PVgmZqSxh5DvX1ttLV5ijFT/hS2'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, i0WcuiQWSwH93uGufO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs Security API names: _0020.SetAccessControl
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs Security API names: _0020.AddAccessRule
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs Security API names: _0020.SetAccessControl
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs Security API names: _0020.AddAccessRule
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, i0WcuiQWSwH93uGufO.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/15@2/2
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe File created: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Mutant created: \Sessions\1\BaseNamedObjects\JRXKrmcGlcGytWAcekV
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe File created: C:\Users\user\AppData\Local\Temp\tmp796.tmp Jump to behavior
Source: Kayla Dennis CV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Kayla Dennis CV.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 0000000B.00000002.3288992952.0000000003213000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003265000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003223000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3293827844.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3288992952.0000000003259000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3295153780.0000000003B10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3289778566.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Kayla Dennis CV.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe File read: C:\Users\user\Desktop\Kayla Dennis CV.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Kayla Dennis CV.exe "C:\Users\user\Desktop\Kayla Dennis CV.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41B89B6B-9399-11D2-9623-00C04F8EE628}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Kayla Dennis CV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Kayla Dennis CV.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000B.00000002.3283027662.0000000000C92000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs .Net Code: Mn7q87oQn4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs .Net Code: Mn7q87oQn4 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Code function: 0_2_07D7FB7F push eax; retf 0_2_07D7FB8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F4000 push eax; ret 11_2_012F400A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F40C5 push eax; ret 11_2_012F3FFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F3F90 push eax; ret 11_2_012F3F7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F3F90 push eax; ret 11_2_012F401A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F3F90 push eax; ret 11_2_012F402A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_012F3FE0 push eax; ret 11_2_012F3FFA
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Code function: 12_2_0799EE0B push eax; retf 12_2_0799EE0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01014000 push eax; ret 17_2_0101400A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01014010 push eax; ret 17_2_0101401A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_010140C5 push eax; ret 17_2_01013FFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_010124B9 push 8BFFFFFFh; retf 17_2_010124BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01013F90 push eax; ret 17_2_01013F7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_01013FE0 push eax; ret 17_2_01013FFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_056344E8 push eax; iretd 17_2_056344E9
Source: Kayla Dennis CV.exe Static PE information: section name: .text entropy: 7.899161344113745
Source: lyKbfEsVYfQfU.exe.0.dr Static PE information: section name: .text entropy: 7.899161344113745
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, Ae3EapnZ1ndJoCaosg.cs High entropy of concatenated method names: 'fBwyW76B29', 'zr7yME9E5V', 'rEUyUpqDjI', 'AMmUdvjMND', 'PfSUz7aPTA', 'oJYyBtP5HZ', 'GeqyHdB3k3', 'o89yS9ieiV', 'g8GylhCpNr', 'Uyqyq8Bs3K'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, zZBwcFdoCBhDHvdrMM.cs High entropy of concatenated method names: 'TJJvMsFir8', 'wM6v5STYFS', 'Ax8vU2BvHU', 'y4CvyCx9cs', 'vbfv2LJTx8', 'gGXvgcBxFQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, zeMT1koqZxrLyrXShU.cs High entropy of concatenated method names: 'kSl2bZ7c8j', 'zVC2fOd46r', 'Od22JtDZlm', 'U5U2XR3lLN', 'lkL21AOism', 'Yd32CYZ7hM', 'U5M2ndtZ3F', 'O2e2wfMXLS', 'b6F2jQIsnI', 'aoe2TDkCtn'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qFWcJZVwvHTZWf33J1.cs High entropy of concatenated method names: 'Ojr7TpZypU', 'E7I709nnLq', 'wkN7Vu68hv', 'v3P7Zfv0va', 'LQa7fuBIeE', 'eDK7JVO9RZ', 'iTL7XDouVq', 'Oh5717ufkx', 'x1D7CdQHe7', 'Alv7nPaJKn'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, Et4w0UHHdcftwrrdAtp.cs High entropy of concatenated method names: 'UeAvdSb4ZQ', 'IX2vzGsBHi', 'gVH6BECLu2', 'm6X6HUWPbY', 'lDT6Sp6Uvg', 'geE6lHmt9R', 'CvH6q81Fe7', 'qqb6cBIBpF', 'BK36WFbO4U', 'cIa6AcK8GZ'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, K9CQNMrr6cZBHfROeJ.cs High entropy of concatenated method names: 'ToString', 'guoO9VrYpi', 'rdkOfuukvn', 'GImOJODpH8', 'QilOXgKLCE', 'xViO1craXK', 'dmROC8ejpL', 'Ua6Onpog98', 'hMIOwMQhJ1', 'e7TOjwlfGl'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, oyVIcTqqP4C6AwsfEK.cs High entropy of concatenated method names: 'rJUHy0Wcui', 'fSwHgH93uG', 'uS6HirC03X', 'XOQHGFxe67', 'UdqH7Yjy05', 'wP7HOHCDY9', 'e4Ou1PlVZn1FbSUMMI', 'KEpxqRSxBGMhhnKR7g', 'K6Z1L4jGHejX3XdxPj', 'cNCHHQUBGk'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, rNBnHnp1WKJm5AxIZM.cs High entropy of concatenated method names: 'ltp27jKoUC', 'ikc2FKrRkY', 'IXm22SMVju', 'Nsp265KOsC', 'J1O2xKNZJQ', 'eMu2mD88QR', 'Dispose', 'H5LKWTj2jg', 'CViKAOxeoP', 'D8FKMG86Jh'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, Ch0lk6HBVj9gH1dXbDR.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B8Iv93e3k5', 'hDcv05MZC4', 'YMtvu5wDCE', 'gFQvVFUkcA', 'MWQvZdEQuL', 'vx1vrnjrBM', 'JMSvhsrxMu'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qq0i0xtS6rC03X4OQF.cs High entropy of concatenated method names: 'DPPMY4eC7s', 'M8nMLaAP6K', 'Eq0MQN2xFb', 'h1QMtX7muk', 'CAAM7UofyA', 'a7fMOHTjPd', 'frSMFu4K4t', 'dZmMKCCqru', 'TPYM2AMMUY', 'FdNMv7wZOA'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, EoWQELuK6MS0aI4AZn.cs High entropy of concatenated method names: 'LcN3QQ3861', 'IOZ3tYvelN', 'SBH3bGHt7a', 'BWl3fF0Mrp', 'ja23XXrhMM', 'Ggw318aOcR', 'EXj3nvJsQB', 'kW53wLJgMl', 'WxS3T1PNJZ', 'dLK39eAaax'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, j05EP7bHCDY9bVeb91.cs High entropy of concatenated method names: 'HuXUcUK1Wt', 'yAtUA96WRN', 'p5RU5EUSpb', 'kNcUytuXHc', 'XNKUgCaH1Q', 'me45R9T2DP', 'OTc5ayrgrt', 'FZS5p6OhMm', 'FLl54NAG8P', 'NJ55oDCZBG'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, mcLAcvjWC5sDoJTaiB.cs High entropy of concatenated method names: 'G7lye2NI3l', 'j1NyDSyr5P', 'PrGy8iMkNf', 'XXCyYSCkJL', 'bg1yk0uLmk', 'jgmyLwAXpd', 'WCNyNscGDR', 'XPAyQKFZpJ', 'X5lyt14bPC', 'QdwyIH1veW'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, ve67QJIErbjQ2RdqYj.cs High entropy of concatenated method names: 'Aot5koFUs9', 'Bvn5NfFVNJ', 'nSeMJvcmYb', 'mDuMXbva5f', 'FvuM1cGliW', 'glOMCI2RB1', 'eAfMnppDA1', 'ItaMwPNlqS', 'H9LMjmoe8p', 'rIRMT1mgpR'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, w1Wamsg80XvcbX1PDi.cs High entropy of concatenated method names: 'MinlcY01X1', 'buxlW2A0PM', 'pCAlAapHkX', 'zdYlMw9nw9', 'aR2l548Ys8', 'cg5lU0EjOp', 'Fk1lyh2hEa', 'r0GlgC8PMW', 'c15lP4C6iv', 'peIli6pPbW'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, FoAFRBaaCt9wLgIjEA.cs High entropy of concatenated method names: 'bI2F43Kuhd', 'iPtFdBG81p', 'hMSKBntYOx', 'AnBKHuuUjU', 'UNPF9fXWmr', 'rSqF0RkJL1', 'Jc5FuMe4Gi', 'KetFV6gXMe', 'I9xFZNUtNT', 'jbkFrsD0Xj'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qfee45ScyUVTNoxrqO.cs High entropy of concatenated method names: 'r438KqbKP', 'GhaYb3nJP', 'uL1LZ1IhJ', 'xXCNJqLLF', 'xretaYAeJ', 'X4rIsXJkr', 'okUWK9PwRXxVfei56R', 'Usr43lfDOXW0PJ7320', 'pRpKo1xgj', 'UQZvfsAAk'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, XLJX4JHqAW5aPYZSNNV.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q1is2oA8Gd', 'VrOsvcE3Om', 'mtHs66PReB', 'MZSssXyLna', 'U1FsxIDhrk', 'L1RsEnZbLP', 'ejwsmx2FSo'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, qKGIPyzat1P0lbO4vD.cs High entropy of concatenated method names: 'rPUvLGJ45q', 'l5UvQUXi1R', 'gr1vtiQhxk', 'bUrvbtyXZB', 'MpKvfQGK9v', 'AcGvXnUjYL', 'X4dv1gpMMA', 'CIlvmiYf0u', 'qngvedj0qJ', 'R8FvDRF3bv'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, i0WcuiQWSwH93uGufO.cs High entropy of concatenated method names: 'UDKAV7WacB', 'NGqAZYdiCx', 'IumArdoEWb', 'q3sAhNXYUC', 'Yf0ARC1XLT', 'N44Aash1g4', 'EsZAp2VnQ4', 'BHyA4ZCssE', 'fapAoCYMBF', 'D8CAd5Ngg6'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, uwQd63hVoUjkE35mIB.cs High entropy of concatenated method names: 'ehoFiZGsZt', 'G54FGnFHS9', 'ToString', 'JnnFWK9XIj', 'WLeFA4QgJo', 'TfZFMaBdJq', 'qdDF5mCkLb', 'aVFFUqDdId', 'yK1Fyd2LBE', 'TETFgDy7u1'
Source: 0.2.Kayla Dennis CV.exe.84f0000.4.raw.unpack, xKwrqWApA4CjlIblEN.cs High entropy of concatenated method names: 'Dispose', 'rJmHo5AxIZ', 'OTySfiHa95', 'zKGsRrLkOU', 'gf7HdXJ9qh', 'AiYHzwrMHp', 'ProcessDialogKey', 'Nd8SBeMT1k', 'eZxSHrLyrX', 'chUSSYZBwc'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, Ae3EapnZ1ndJoCaosg.cs High entropy of concatenated method names: 'fBwyW76B29', 'zr7yME9E5V', 'rEUyUpqDjI', 'AMmUdvjMND', 'PfSUz7aPTA', 'oJYyBtP5HZ', 'GeqyHdB3k3', 'o89yS9ieiV', 'g8GylhCpNr', 'Uyqyq8Bs3K'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, zZBwcFdoCBhDHvdrMM.cs High entropy of concatenated method names: 'TJJvMsFir8', 'wM6v5STYFS', 'Ax8vU2BvHU', 'y4CvyCx9cs', 'vbfv2LJTx8', 'gGXvgcBxFQ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, zeMT1koqZxrLyrXShU.cs High entropy of concatenated method names: 'kSl2bZ7c8j', 'zVC2fOd46r', 'Od22JtDZlm', 'U5U2XR3lLN', 'lkL21AOism', 'Yd32CYZ7hM', 'U5M2ndtZ3F', 'O2e2wfMXLS', 'b6F2jQIsnI', 'aoe2TDkCtn'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qFWcJZVwvHTZWf33J1.cs High entropy of concatenated method names: 'Ojr7TpZypU', 'E7I709nnLq', 'wkN7Vu68hv', 'v3P7Zfv0va', 'LQa7fuBIeE', 'eDK7JVO9RZ', 'iTL7XDouVq', 'Oh5717ufkx', 'x1D7CdQHe7', 'Alv7nPaJKn'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, Et4w0UHHdcftwrrdAtp.cs High entropy of concatenated method names: 'UeAvdSb4ZQ', 'IX2vzGsBHi', 'gVH6BECLu2', 'm6X6HUWPbY', 'lDT6Sp6Uvg', 'geE6lHmt9R', 'CvH6q81Fe7', 'qqb6cBIBpF', 'BK36WFbO4U', 'cIa6AcK8GZ'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, K9CQNMrr6cZBHfROeJ.cs High entropy of concatenated method names: 'ToString', 'guoO9VrYpi', 'rdkOfuukvn', 'GImOJODpH8', 'QilOXgKLCE', 'xViO1craXK', 'dmROC8ejpL', 'Ua6Onpog98', 'hMIOwMQhJ1', 'e7TOjwlfGl'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, oyVIcTqqP4C6AwsfEK.cs High entropy of concatenated method names: 'rJUHy0Wcui', 'fSwHgH93uG', 'uS6HirC03X', 'XOQHGFxe67', 'UdqH7Yjy05', 'wP7HOHCDY9', 'e4Ou1PlVZn1FbSUMMI', 'KEpxqRSxBGMhhnKR7g', 'K6Z1L4jGHejX3XdxPj', 'cNCHHQUBGk'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, rNBnHnp1WKJm5AxIZM.cs High entropy of concatenated method names: 'ltp27jKoUC', 'ikc2FKrRkY', 'IXm22SMVju', 'Nsp265KOsC', 'J1O2xKNZJQ', 'eMu2mD88QR', 'Dispose', 'H5LKWTj2jg', 'CViKAOxeoP', 'D8FKMG86Jh'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, Ch0lk6HBVj9gH1dXbDR.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B8Iv93e3k5', 'hDcv05MZC4', 'YMtvu5wDCE', 'gFQvVFUkcA', 'MWQvZdEQuL', 'vx1vrnjrBM', 'JMSvhsrxMu'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qq0i0xtS6rC03X4OQF.cs High entropy of concatenated method names: 'DPPMY4eC7s', 'M8nMLaAP6K', 'Eq0MQN2xFb', 'h1QMtX7muk', 'CAAM7UofyA', 'a7fMOHTjPd', 'frSMFu4K4t', 'dZmMKCCqru', 'TPYM2AMMUY', 'FdNMv7wZOA'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, EoWQELuK6MS0aI4AZn.cs High entropy of concatenated method names: 'LcN3QQ3861', 'IOZ3tYvelN', 'SBH3bGHt7a', 'BWl3fF0Mrp', 'ja23XXrhMM', 'Ggw318aOcR', 'EXj3nvJsQB', 'kW53wLJgMl', 'WxS3T1PNJZ', 'dLK39eAaax'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, j05EP7bHCDY9bVeb91.cs High entropy of concatenated method names: 'HuXUcUK1Wt', 'yAtUA96WRN', 'p5RU5EUSpb', 'kNcUytuXHc', 'XNKUgCaH1Q', 'me45R9T2DP', 'OTc5ayrgrt', 'FZS5p6OhMm', 'FLl54NAG8P', 'NJ55oDCZBG'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, mcLAcvjWC5sDoJTaiB.cs High entropy of concatenated method names: 'G7lye2NI3l', 'j1NyDSyr5P', 'PrGy8iMkNf', 'XXCyYSCkJL', 'bg1yk0uLmk', 'jgmyLwAXpd', 'WCNyNscGDR', 'XPAyQKFZpJ', 'X5lyt14bPC', 'QdwyIH1veW'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, ve67QJIErbjQ2RdqYj.cs High entropy of concatenated method names: 'Aot5koFUs9', 'Bvn5NfFVNJ', 'nSeMJvcmYb', 'mDuMXbva5f', 'FvuM1cGliW', 'glOMCI2RB1', 'eAfMnppDA1', 'ItaMwPNlqS', 'H9LMjmoe8p', 'rIRMT1mgpR'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, w1Wamsg80XvcbX1PDi.cs High entropy of concatenated method names: 'MinlcY01X1', 'buxlW2A0PM', 'pCAlAapHkX', 'zdYlMw9nw9', 'aR2l548Ys8', 'cg5lU0EjOp', 'Fk1lyh2hEa', 'r0GlgC8PMW', 'c15lP4C6iv', 'peIli6pPbW'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, FoAFRBaaCt9wLgIjEA.cs High entropy of concatenated method names: 'bI2F43Kuhd', 'iPtFdBG81p', 'hMSKBntYOx', 'AnBKHuuUjU', 'UNPF9fXWmr', 'rSqF0RkJL1', 'Jc5FuMe4Gi', 'KetFV6gXMe', 'I9xFZNUtNT', 'jbkFrsD0Xj'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qfee45ScyUVTNoxrqO.cs High entropy of concatenated method names: 'r438KqbKP', 'GhaYb3nJP', 'uL1LZ1IhJ', 'xXCNJqLLF', 'xretaYAeJ', 'X4rIsXJkr', 'okUWK9PwRXxVfei56R', 'Usr43lfDOXW0PJ7320', 'pRpKo1xgj', 'UQZvfsAAk'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, XLJX4JHqAW5aPYZSNNV.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q1is2oA8Gd', 'VrOsvcE3Om', 'mtHs66PReB', 'MZSssXyLna', 'U1FsxIDhrk', 'L1RsEnZbLP', 'ejwsmx2FSo'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, qKGIPyzat1P0lbO4vD.cs High entropy of concatenated method names: 'rPUvLGJ45q', 'l5UvQUXi1R', 'gr1vtiQhxk', 'bUrvbtyXZB', 'MpKvfQGK9v', 'AcGvXnUjYL', 'X4dv1gpMMA', 'CIlvmiYf0u', 'qngvedj0qJ', 'R8FvDRF3bv'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, i0WcuiQWSwH93uGufO.cs High entropy of concatenated method names: 'UDKAV7WacB', 'NGqAZYdiCx', 'IumArdoEWb', 'q3sAhNXYUC', 'Yf0ARC1XLT', 'N44Aash1g4', 'EsZAp2VnQ4', 'BHyA4ZCssE', 'fapAoCYMBF', 'D8CAd5Ngg6'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, uwQd63hVoUjkE35mIB.cs High entropy of concatenated method names: 'ehoFiZGsZt', 'G54FGnFHS9', 'ToString', 'JnnFWK9XIj', 'WLeFA4QgJo', 'TfZFMaBdJq', 'qdDF5mCkLb', 'aVFFUqDdId', 'yK1Fyd2LBE', 'TETFgDy7u1'
Source: 0.2.Kayla Dennis CV.exe.46362c0.2.raw.unpack, xKwrqWApA4CjlIblEN.cs High entropy of concatenated method names: 'Dispose', 'rJmHo5AxIZ', 'OTySfiHa95', 'zKGsRrLkOU', 'gf7HdXJ9qh', 'AiYHzwrMHp', 'ProcessDialogKey', 'Nd8SBeMT1k', 'eZxSHrLyrX', 'chUSSYZBwc'
Drops PE files
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe File created: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lyKbfEsVYfQfU.exe PID: 7428, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: 18A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: 3420000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: 1A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: 86A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: 96A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: 9860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: A860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: 1500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: 2FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: 4FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: 7DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: 8DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: 8F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: 9F90000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598204 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597954 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597829 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597704 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597204 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596954 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596829 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596704 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596204 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595954 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595829 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595704 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594240 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594437
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5704 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8207 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 665 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8242 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8310
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe TID: 764 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7328 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe TID: 7512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598204 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597954 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597829 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597704 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597204 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596954 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596829 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596704 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596204 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595954 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595829 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595704 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595579 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595454 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594240 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598904
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594437
Source: RegSvcs.exe, 0000000B.00000002.3285264129.0000000001336000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
Source: Kayla Dennis CV.exe, 00000000.00000002.2141784230.0000000007C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000i
Source: RegSvcs.exe, 00000011.00000002.3286353518.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 17_2_0563CE20 LdrInitializeThunk, 17_2_0563CE20
Enables debug privileges
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe"
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FF1008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9AF008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Kayla Dennis CV.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp796.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyKbfEsVYfQfU" /XML "C:\Users\user\AppData\Local\Temp\tmp2EE5.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Users\user\Desktop\Kayla Dennis CV.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Queries volume information: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Speech\v4.0_4.0.0.0__31bf3856ad364e35\System.Speech.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\lyKbfEsVYfQfU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Kayla Dennis CV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3288992952.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3289778566.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44978d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44978d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Kayla Dennis CV.exe.44b86f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3288992952.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3289778566.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3282277125.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3289778566.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3288992952.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2133658014.0000000004421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Kayla Dennis CV.exe PID: 6300, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7740, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557909 Sample: Kayla Dennis CV.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 checkip.dyndns.org 2->52 54 checkip.dyndns.com 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 64 10 other signatures 2->64 8 Kayla Dennis CV.exe 7 2->8         started        12 lyKbfEsVYfQfU.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 50->62 process4 file5 38 C:\Users\user\AppData\...\lyKbfEsVYfQfU.exe, PE32 8->38 dropped 40 C:\...\lyKbfEsVYfQfU.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\tmp796.tmp, XML 8->42 dropped 44 C:\Users\user\...\Kayla Dennis CV.exe.log, ASCII 8->44 dropped 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 70 Adds a directory exclusion to Windows Defender 8->70 14 powershell.exe 23 8->14         started        17 RegSvcs.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        26 3 other processes 8->26 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 76 Injects a PE file into a foreign processes 12->76 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        46 checkip.dyndns.com 132.226.247.73, 49711, 49714, 49716 UTMEMUS United States 17->46 48 reallyfreegeoip.org 188.114.96.3, 443, 49712, 49713 CLOUDFLARENETUS European Union 17->48 32 conhost.exe 20->32         started        80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal browser information (history, passwords, etc) 22->82 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.96.3 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/155.94.241.187 false
      		high