Windows Analysis Report
z1MB267382625AE.exe

Overview

General Information

Sample name: z1MB267382625AE.exe
Analysis ID: 1560033
MD5: b996196f91e1480ba0a4bb0304a1f960
SHA1: 417edfb082a48d152475e0a174162d05e9581045
SHA256: f6b094d042f1ccc79ef5060b18495c6bee55585630fac2c3d3f32a8c9c174de6
Tags: exeuser-Porcupine
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "FTP", "FTP Server": "ftp://cpanel2-nl.thcservers.com/", "FTP Username": "snup@lifechangerscare.com", "Password": "Uvob2G1Tc73ZCus02X", "Version": "5.1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: z1MB267382625AE.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: z1MB267382625AE.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: z1MB267382625AE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49706 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49710 version: TLS 1.0
Source: z1MB267382625AE.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wJIQ.pdb source: z1MB267382625AE.exe, pNgFqm.exe.0.dr
Source: Binary string: wJIQ.pdbSHA256 source: z1MB267382625AE.exe, pNgFqm.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 0101F1F6h 8_2_0101F007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 0101FB80h 8_2_0101F007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 8_2_0101E528
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 8_2_0101EB5B
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 8_2_0101ED3C
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06758945h 8_2_06758608
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 067565C9h 8_2_06756320
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 067558C1h 8_2_06755618
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06756171h 8_2_06755EC8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06756A21h 8_2_06756778
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06757751h 8_2_067574A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06750741h 8_2_06750498
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06758001h 8_2_06757D58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06750FF1h 8_2_06750D48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06755D19h 8_2_06755A70
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06756E79h 8_2_06756BD0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 8_2_067533B8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 8_2_067533A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 067572FAh 8_2_06757050
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 067502E9h 8_2_06750040
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06750B99h 8_2_067508F0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06757BA9h 8_2_06757900
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06758459h 8_2_067581B0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 4x nop then jmp 06755441h 8_2_06755198
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 0150F1F6h 13_2_0150F007
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 0150FB80h 13_2_0150F007
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 13_2_0150E528
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C48945h 13_2_06C48608
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 13_2_06C436CE
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C46171h 13_2_06C45EC8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C458C1h 13_2_06C45618
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C46A21h 13_2_06C46778
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C40741h 13_2_06C40498
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C47751h 13_2_06C474A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C40FF1h 13_2_06C40D48
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C48001h 13_2_06C47D58
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C45D19h 13_2_06C45A70
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C46E79h 13_2_06C46BD0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 13_2_06C433A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 13_2_06C433B8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C465C9h 13_2_06C46320
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C40B99h 13_2_06C408F0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C402E9h 13_2_06C40040
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C472FAh 13_2_06C47050
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C45441h 13_2_06C45198
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C48459h 13_2_06C481B0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 4x nop then jmp 06C47BA9h 13_2_06C47900

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49709 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49705 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49713 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49715 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49708 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49712 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49711 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49716 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49707 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49706 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49710 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003098000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000316D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: pNgFqm.exe, 0000000D.00000002.3897961690.00000000067B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft.c
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AAE000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: z1MB267382625AE.exe, 00000000.00000002.1463110656.0000000002751000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000A.00000002.1512536121.0000000002611000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030A4000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B28000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003137000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000315F000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000319B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003144000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.000000000318D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.00000000030E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000D.00000002.3891998922.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 0_2_00B8D55C 0_2_00B8D55C
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_01016108 8_2_01016108
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101C193 8_2_0101C193
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101F007 8_2_0101F007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101B328 8_2_0101B328
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101C470 8_2_0101C470
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_01016730 8_2_01016730
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101C753 8_2_0101C753
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_01019858 8_2_01019858
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101BBD3 8_2_0101BBD3
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101CA33 8_2_0101CA33
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_01014AD9 8_2_01014AD9
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101BEB7 8_2_0101BEB7
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101E517 8_2_0101E517
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101E528 8_2_0101E528
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_01013573 8_2_01013573
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0101B4F3 8_2_0101B4F3
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675D670 8_2_0675D670
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06758608 8_2_06758608
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675B6E8 8_2_0675B6E8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675A408 8_2_0675A408
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675BD38 8_2_0675BD38
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675AA58 8_2_0675AA58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06758B58 8_2_06758B58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06756320 8_2_06756320
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675C388 8_2_0675C388
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675D028 8_2_0675D028
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675B0A0 8_2_0675B0A0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675C9D8 8_2_0675C9D8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067511A0 8_2_067511A0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675D663 8_2_0675D663
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06755618 8_2_06755618
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06755609 8_2_06755609
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675B6D9 8_2_0675B6D9
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06755EC8 8_2_06755EC8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06755EB8 8_2_06755EB8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06756778 8_2_06756778
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675676A 8_2_0675676A
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06753730 8_2_06753730
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06754430 8_2_06754430
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067574A8 8_2_067574A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06757497 8_2_06757497
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06750498 8_2_06750498
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06750488 8_2_06750488
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06757D58 8_2_06757D58
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06750D48 8_2_06750D48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06757D48 8_2_06757D48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06750D39 8_2_06750D39
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675BD28 8_2_0675BD28
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067585FC 8_2_067585FC
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06755A70 8_2_06755A70
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06755A60 8_2_06755A60
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675AA48 8_2_0675AA48
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675C378 8_2_0675C378
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06756310 8_2_06756310
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675A3F8 8_2_0675A3F8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06756BD0 8_2_06756BD0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06756BC1 8_2_06756BC1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067533B8 8_2_067533B8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067533A8 8_2_067533A8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06757050 8_2_06757050
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06750040 8_2_06750040
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06757040 8_2_06757040
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06752818 8_2_06752818
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675D018 8_2_0675D018
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06750007 8_2_06750007
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06752807 8_2_06752807
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067508F0 8_2_067508F0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067578F0 8_2_067578F0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067508E0 8_2_067508E0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675B08F 8_2_0675B08F
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06757900 8_2_06757900
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675C9C8 8_2_0675C9C8
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067581B0 8_2_067581B0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_067581A0 8_2_067581A0
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06751191 8_2_06751191
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_06755198 8_2_06755198
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_0675518A 8_2_0675518A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 10_2_0244D55C 10_2_0244D55C
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_01506108 13_2_01506108
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150C190 13_2_0150C190
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150F007 13_2_0150F007
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150B328 13_2_0150B328
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150C470 13_2_0150C470
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150C752 13_2_0150C752
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_01509858 13_2_01509858
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_01506880 13_2_01506880
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150BBD2 13_2_0150BBD2
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150CA32 13_2_0150CA32
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_01504AD9 13_2_01504AD9
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150BEB0 13_2_0150BEB0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_01503572 13_2_01503572
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150E517 13_2_0150E517
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150E528 13_2_0150E528
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_0150B4F2 13_2_0150B4F2
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4B6E8 13_2_06C4B6E8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4D670 13_2_06C4D670
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C48608 13_2_06C48608
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C48C5B 13_2_06C48C5B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4A408 13_2_06C4A408
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4BD38 13_2_06C4BD38
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4AA58 13_2_06C4AA58
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4C388 13_2_06C4C388
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4B0A0 13_2_06C4B0A0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4D028 13_2_06C4D028
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4C9D8 13_2_06C4C9D8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C411A0 13_2_06C411A0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C45EC8 13_2_06C45EC8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4B6E3 13_2_06C4B6E3
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C45EB8 13_2_06C45EB8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4D66B 13_2_06C4D66B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4560A 13_2_06C4560A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C45618 13_2_06C45618
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4676A 13_2_06C4676A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C46778 13_2_06C46778
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C43730 13_2_06C43730
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C40488 13_2_06C40488
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C47497 13_2_06C47497
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C40498 13_2_06C40498
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C474A8 13_2_06C474A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C44430 13_2_06C44430
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C485FC 13_2_06C485FC
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C40D48 13_2_06C40D48
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C47D48 13_2_06C47D48
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C47D58 13_2_06C47D58
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4BD33 13_2_06C4BD33
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C40D39 13_2_06C40D39
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4AA4B 13_2_06C4AA4B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C45A60 13_2_06C45A60
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C45A70 13_2_06C45A70
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C46BC1 13_2_06C46BC1
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C46BD0 13_2_06C46BD0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4A3F8 13_2_06C4A3F8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4C383 13_2_06C4C383
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C433A8 13_2_06C433A8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C433B8 13_2_06C433B8
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C46312 13_2_06C46312
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C46320 13_2_06C46320
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C408E0 13_2_06C408E0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C408F0 13_2_06C408F0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C478F0 13_2_06C478F0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4B09B 13_2_06C4B09B
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C40040 13_2_06C40040
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C47040 13_2_06C47040
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C47050 13_2_06C47050
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C40006 13_2_06C40006
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C42807 13_2_06C42807
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C42818 13_2_06C42818
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4D023 13_2_06C4D023
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4C9D3 13_2_06C4C9D3
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C4518A 13_2_06C4518A
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C41191 13_2_06C41191
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C45198 13_2_06C45198
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C481A0 13_2_06C481A0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C481B0 13_2_06C481B0
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C47900 13_2_06C47900
Sample file is different than original file name gathered from version info
Source: z1MB267382625AE.exe, 00000000.00000002.1476561328.00000000050F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewJIQ.exe: vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000000.1425507637.0000000000302000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewJIQ.exe: vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1457878096.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1478303769.0000000005C10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1463110656.000000000276B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1470193070.0000000004C10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1463110656.0000000002751000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000008.00000002.3891998369.000000000041C000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe, 00000008.00000002.3892251456.0000000000B37000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z1MB267382625AE.exe
Source: z1MB267382625AE.exe Binary or memory string: OriginalFilenamewJIQ.exe: vs z1MB267382625AE.exe
Uses 32bit PE files
Source: z1MB267382625AE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000D.00000002.3891998922.0000000000410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: z1MB267382625AE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pNgFqm.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs Security API names: _0020.SetAccessControl
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs Security API names: _0020.AddAccessRule
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs Security API names: _0020.SetAccessControl
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
Source: C:\Users\user\Desktop\z1MB267382625AE.exe File created: C:\Users\user\AppData\Roaming\pNgFqm.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
Source: C:\Users\user\Desktop\z1MB267382625AE.exe File created: C:\Users\user\AppData\Local\Temp\tmpCA64.tmp Jump to behavior
Source: z1MB267382625AE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z1MB267382625AE.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\z1MB267382625AE.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C25000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3894760965.0000000002C07000.00000004.00000800.00020000.00000000.sdmp, z1MB267382625AE.exe, 00000008.00000002.3897007503.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003215000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3896656638.000000000406B000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003267000.00000004.00000800.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3894344951.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: z1MB267382625AE.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\z1MB267382625AE.exe File read: C:\Users\user\Desktop\z1MB267382625AE.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe C:\Users\user\AppData\Roaming\pNgFqm.exe
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe "C:\Users\user\AppData\Roaming\pNgFqm.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe "C:\Users\user\AppData\Roaming\pNgFqm.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\z1MB267382625AE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: z1MB267382625AE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: z1MB267382625AE.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: z1MB267382625AE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wJIQ.pdb source: z1MB267382625AE.exe, pNgFqm.exe.0.dr
Source: Binary string: wJIQ.pdbSHA256 source: z1MB267382625AE.exe, pNgFqm.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs .Net Code: QNSgyL9ZSf System.Reflection.Assembly.Load(byte[])
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs .Net Code: QNSgyL9ZSf System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Code function: 8_2_010124B9 push 8BFFFFFFh; retf 8_2_010124BF
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C497E9 push ss; ret 13_2_06C497EA
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C497F8 push ss; ret 13_2_06C49896
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C48C51 push cs; ret 13_2_06C48C52
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C49A4B push ss; ret 13_2_06C49A4E
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Code function: 13_2_06C49999 push ss; ret 13_2_06C4999A
Source: z1MB267382625AE.exe Static PE information: section name: .text entropy: 7.796333260791543
Source: pNgFqm.exe.0.dr Static PE information: section name: .text entropy: 7.796333260791543
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, NJrKCeQ3un60MZ1QKE.cs High entropy of concatenated method names: 'NQBsNNYweq', 'ybpsbdbKEI', 'HhR1tCoL9M', 'f1s1lpEgSl', 'QHc1TuDsRW', 'UCJ1U5x0XT', 'gvp1JgeoDP', 'muy1d6j0EV', 'pqk15OxwKG', 'lLw1qHdpOH'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, fSyZE5rDZvdJn9DXtY.cs High entropy of concatenated method names: 'G0lpjuTuZs', 'iLZpAjJArR', 'nUhaFPW2P4', 'FdBaBdYiPl', 'Ed6pHnRAaU', 'smopDMiwQI', 'Vw2pVf9E4U', 'PTZpfHwZ40', 'ok9pCJMQpZ', 'BIcpOmbDL1'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, C7p1976WpxdpiE3qDH.cs High entropy of concatenated method names: 'RBq14uGoTe', 'bfg1Gx8wCb', 'fvD1uAWiQt', 'TAo16T9TZk', 'E8I1ZTjw3c', 'Jkf18VgOfd', 'uGj1pleFD1', 'CHZ1a8gEba', 'NX3175SnZ2', 'QVV12UkS8O'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, YZDwvZBBnDdGi69nQnm.cs High entropy of concatenated method names: 'UW52AtWkm0', 'i6i2zrJFH1', 'mwFRFCiw9r', 'BOORBNJpSB', 'XkORW9CDx1', 'U6fRoJqpww', 'tvYRgdydxF', 'MBaRhNm1CD', 'F1eRPY9ZMC', 'VHGRE5XLGt'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, LDDoBh5m2tPpAyxati.cs High entropy of concatenated method names: 'gEPvKS2M5P', 'bl9v3yP2fn', 'TSnvyCpaQZ', 'Bhkv4ViQWM', 'kZpvNavwlF', 'GohvGxFy04', 'fADvbDoeSK', 'w7evuJ1KDp', 'Fkuv6v2TDJ', 'pNSvQal7i8'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs High entropy of concatenated method names: 'EgkEfKmGPr', 'AscECAlHA5', 'MDmEO0Dmrv', 'raGEXb3ooO', 'LSFEnPtUde', 'UukErr2XOQ', 'rXYExiXdkW', 'anbEj6ZVnw', 'YcjE0tJl4x', 'RgAEAwH5nM'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, VV1gciVI4BL7lT53tl.cs High entropy of concatenated method names: 'aA9euDFQD5', 'in3e6mTopO', 's30emXqCqk', 'L2KeYGcF2k', 'vldel2LoH2', 'JBeeT15I28', 'RExeJZwdsf', 'iv9edXao92', 'JH5eq1TJmj', 'jymeHMWwP5'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, wiUCrRJON8iBnF8uWx.cs High entropy of concatenated method names: 'plZvPjTi1h', 'nQ0v16JBxh', 'UX5vL4X6rR', 'sWZLAYyCa5', 'AqULzbvAc6', 'KZYvFFZq4j', 'zc5vBU40xV', 'rUOvWpIvKK', 'in3voiIsBo', 'oYrvg6518Y'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, G3BWbf0bZM0Mx69pbj.cs High entropy of concatenated method names: 'NSG7mPm9sM', 'DxS7Y3Ssix', 'ool7tutOUy', 'nAu7lvvlXI', 'DFj7TMwHED', 'Xj47UNGLt3', 'I6D7JSuOFJ', 'hd17dwfpy3', 'V5e75lcBL4', 'mZE7q4L0vO'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, vZDPAsz2Q0dRk9j1J3.cs High entropy of concatenated method names: 'lcB2GEMQW5', 'Xv72uy4yG6', 'W3726bMS9T', 'Rsh2m2eeT0', 'jrW2YAWWr5', 'vnT2ltn6sA', 'k652TtidTu', 'fAS2cftEyo', 'hGV2KxXcWe', 'BQP23HFMtX'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, JVZcpDAGO2p5Cx1j8e.cs High entropy of concatenated method names: 'z2s21cGVVN', 'yp22sQXBrx', 'cPC2LVJ3Sd', 'epn2vf1evV', 'ohg27oExdY', 'wOj2I6w8hi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, QKTkR7BFhU60XmjIbn6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I4s2HKUAQn', 'BX72DTj8rX', 'JgE2Vqn2dW', 'VTp2fRVdCZ', 'fNH2CYcECm', 'prJ2OBt6aH', 'W9F2XRpWSv'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, QpkwaDxGqb3Tn7ojrp.cs High entropy of concatenated method names: 'hgx7Z2epbL', 'fwA7pNne3M', 'ufn77e6m7E', 'OCP7RM2UGD', 'mfT7Sa7Rg9', 'Bqw7cN1mTD', 'Dispose', 'YgHaPaAsIp', 'f4eaEcPqmr', 'z4fa14loyX'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, TSSuwX1321RDOYSMDs.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Dl6W0p8sJZ', 'z76WABEKlb', 'tGOWzka0NU', 'h2CoFY4Mfm', 'gpQoB7J3hy', 'TMMoWS48aT', 'HkvooGywPk', 'wFxe2lGwiXKVhl7Fyo7'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, z0JtUNmrWRDPjyBNi5.cs High entropy of concatenated method names: 'H1ULhoyi1n', 'RreLEFwjgY', 'DpkLs5POE8', 'Oc6Lvbm1In', 'HgVLIILKGw', 'Hhisnh6yBM', 'wxAsrdFm1N', 'MdksxJvqlu', 'AmrsjQYOvA', 'Figs0cU2o6'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, zHqVqmBgPs2cdio7TdG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TtYk7ZmdfI', 'Q2qk2IphcL', 'mJdkRy7QpQ', 'Ul4kki7NXW', 'AnCkSQrnTb', 'ELkk9aemVf', 'jrHkcwe7CE'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, lkFS2dEPctdY0uI2Y8.cs High entropy of concatenated method names: 'Dispose', 'C3TB0n7ojr', 'PAdWY3VAIF', 'SaQy1akG4S', 'qj4BA64JMY', 'In0BzE9sWY', 'ProcessDialogKey', 'vGmWF3BWbf', 'CZMWB0Mx69', 'qbjWWTVZcp'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, LRPDjNgp89N91EAp0v.cs High entropy of concatenated method names: 'fMoBvZ0gV3', 'NACBIxDwCE', 'rWpBwxdpiE', 'yqDBMH5JrK', 'o1QBZKEy0J', 'IUNB8rWRDP', 'x9N9cn2nvAf4yeGxva', 'HjuE8GH1jR71Q7O0vW', 'EAKBBDcP7r', 'kSuBoZcC1k'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, pF3wvQBWHey0f0bWYau.cs High entropy of concatenated method names: 'ToString', 'sSiRuOSdht', 'zyvR6SixqC', 'KmSRQBRCM2', 'l8ERmlvwH6', 'TpPRYsJ42l', 'e60RtkA4O4', 'ya2RlLwKPo', 'aFeOXFwEUBZGxJBm8AH', 'bi3BCYwWO5pP2aySBU5'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, e8OsT9IkGEmBGJinVc.cs High entropy of concatenated method names: 'mZOohvXAbW', 'IvKoPEMyaZ', 'J3noEiGlUC', 'RBJo16GR4e', 'UKSospics3', 'oYfoLxVpa9', 'Sf4ov5mk6f', 'oehoInl7we', 'GDwoif9H6m', 'd0CowrYpui'
Source: 0.2.z1MB267382625AE.exe.3962ea0.2.raw.unpack, uKLxFGWqQk5xT6QMyj.cs High entropy of concatenated method names: 'OelyM5GSY', 'jXb42we54', 'JGuGGNW2Y', 'lM7bWQYqf', 'mHC6nI1XK', 'MOQQjkBem', 'c6x1qDo6mXfHrr32oi', 'AwOYYmKktZYLwJndmJ', 'C3saqvcUw', 'ca72uCgP6'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, NJrKCeQ3un60MZ1QKE.cs High entropy of concatenated method names: 'NQBsNNYweq', 'ybpsbdbKEI', 'HhR1tCoL9M', 'f1s1lpEgSl', 'QHc1TuDsRW', 'UCJ1U5x0XT', 'gvp1JgeoDP', 'muy1d6j0EV', 'pqk15OxwKG', 'lLw1qHdpOH'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, fSyZE5rDZvdJn9DXtY.cs High entropy of concatenated method names: 'G0lpjuTuZs', 'iLZpAjJArR', 'nUhaFPW2P4', 'FdBaBdYiPl', 'Ed6pHnRAaU', 'smopDMiwQI', 'Vw2pVf9E4U', 'PTZpfHwZ40', 'ok9pCJMQpZ', 'BIcpOmbDL1'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, C7p1976WpxdpiE3qDH.cs High entropy of concatenated method names: 'RBq14uGoTe', 'bfg1Gx8wCb', 'fvD1uAWiQt', 'TAo16T9TZk', 'E8I1ZTjw3c', 'Jkf18VgOfd', 'uGj1pleFD1', 'CHZ1a8gEba', 'NX3175SnZ2', 'QVV12UkS8O'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, YZDwvZBBnDdGi69nQnm.cs High entropy of concatenated method names: 'UW52AtWkm0', 'i6i2zrJFH1', 'mwFRFCiw9r', 'BOORBNJpSB', 'XkORW9CDx1', 'U6fRoJqpww', 'tvYRgdydxF', 'MBaRhNm1CD', 'F1eRPY9ZMC', 'VHGRE5XLGt'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, LDDoBh5m2tPpAyxati.cs High entropy of concatenated method names: 'gEPvKS2M5P', 'bl9v3yP2fn', 'TSnvyCpaQZ', 'Bhkv4ViQWM', 'kZpvNavwlF', 'GohvGxFy04', 'fADvbDoeSK', 'w7evuJ1KDp', 'Fkuv6v2TDJ', 'pNSvQal7i8'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, dZ0gV3u5ACxDwCEBtl.cs High entropy of concatenated method names: 'EgkEfKmGPr', 'AscECAlHA5', 'MDmEO0Dmrv', 'raGEXb3ooO', 'LSFEnPtUde', 'UukErr2XOQ', 'rXYExiXdkW', 'anbEj6ZVnw', 'YcjE0tJl4x', 'RgAEAwH5nM'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, VV1gciVI4BL7lT53tl.cs High entropy of concatenated method names: 'aA9euDFQD5', 'in3e6mTopO', 's30emXqCqk', 'L2KeYGcF2k', 'vldel2LoH2', 'JBeeT15I28', 'RExeJZwdsf', 'iv9edXao92', 'JH5eq1TJmj', 'jymeHMWwP5'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, wiUCrRJON8iBnF8uWx.cs High entropy of concatenated method names: 'plZvPjTi1h', 'nQ0v16JBxh', 'UX5vL4X6rR', 'sWZLAYyCa5', 'AqULzbvAc6', 'KZYvFFZq4j', 'zc5vBU40xV', 'rUOvWpIvKK', 'in3voiIsBo', 'oYrvg6518Y'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, G3BWbf0bZM0Mx69pbj.cs High entropy of concatenated method names: 'NSG7mPm9sM', 'DxS7Y3Ssix', 'ool7tutOUy', 'nAu7lvvlXI', 'DFj7TMwHED', 'Xj47UNGLt3', 'I6D7JSuOFJ', 'hd17dwfpy3', 'V5e75lcBL4', 'mZE7q4L0vO'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, vZDPAsz2Q0dRk9j1J3.cs High entropy of concatenated method names: 'lcB2GEMQW5', 'Xv72uy4yG6', 'W3726bMS9T', 'Rsh2m2eeT0', 'jrW2YAWWr5', 'vnT2ltn6sA', 'k652TtidTu', 'fAS2cftEyo', 'hGV2KxXcWe', 'BQP23HFMtX'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, JVZcpDAGO2p5Cx1j8e.cs High entropy of concatenated method names: 'z2s21cGVVN', 'yp22sQXBrx', 'cPC2LVJ3Sd', 'epn2vf1evV', 'ohg27oExdY', 'wOj2I6w8hi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, QKTkR7BFhU60XmjIbn6.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'I4s2HKUAQn', 'BX72DTj8rX', 'JgE2Vqn2dW', 'VTp2fRVdCZ', 'fNH2CYcECm', 'prJ2OBt6aH', 'W9F2XRpWSv'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, QpkwaDxGqb3Tn7ojrp.cs High entropy of concatenated method names: 'hgx7Z2epbL', 'fwA7pNne3M', 'ufn77e6m7E', 'OCP7RM2UGD', 'mfT7Sa7Rg9', 'Bqw7cN1mTD', 'Dispose', 'YgHaPaAsIp', 'f4eaEcPqmr', 'z4fa14loyX'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, TSSuwX1321RDOYSMDs.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Dl6W0p8sJZ', 'z76WABEKlb', 'tGOWzka0NU', 'h2CoFY4Mfm', 'gpQoB7J3hy', 'TMMoWS48aT', 'HkvooGywPk', 'wFxe2lGwiXKVhl7Fyo7'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, z0JtUNmrWRDPjyBNi5.cs High entropy of concatenated method names: 'H1ULhoyi1n', 'RreLEFwjgY', 'DpkLs5POE8', 'Oc6Lvbm1In', 'HgVLIILKGw', 'Hhisnh6yBM', 'wxAsrdFm1N', 'MdksxJvqlu', 'AmrsjQYOvA', 'Figs0cU2o6'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, zHqVqmBgPs2cdio7TdG.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TtYk7ZmdfI', 'Q2qk2IphcL', 'mJdkRy7QpQ', 'Ul4kki7NXW', 'AnCkSQrnTb', 'ELkk9aemVf', 'jrHkcwe7CE'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, lkFS2dEPctdY0uI2Y8.cs High entropy of concatenated method names: 'Dispose', 'C3TB0n7ojr', 'PAdWY3VAIF', 'SaQy1akG4S', 'qj4BA64JMY', 'In0BzE9sWY', 'ProcessDialogKey', 'vGmWF3BWbf', 'CZMWB0Mx69', 'qbjWWTVZcp'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, LRPDjNgp89N91EAp0v.cs High entropy of concatenated method names: 'fMoBvZ0gV3', 'NACBIxDwCE', 'rWpBwxdpiE', 'yqDBMH5JrK', 'o1QBZKEy0J', 'IUNB8rWRDP', 'x9N9cn2nvAf4yeGxva', 'HjuE8GH1jR71Q7O0vW', 'EAKBBDcP7r', 'kSuBoZcC1k'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, pF3wvQBWHey0f0bWYau.cs High entropy of concatenated method names: 'ToString', 'sSiRuOSdht', 'zyvR6SixqC', 'KmSRQBRCM2', 'l8ERmlvwH6', 'TpPRYsJ42l', 'e60RtkA4O4', 'ya2RlLwKPo', 'aFeOXFwEUBZGxJBm8AH', 'bi3BCYwWO5pP2aySBU5'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, e8OsT9IkGEmBGJinVc.cs High entropy of concatenated method names: 'mZOohvXAbW', 'IvKoPEMyaZ', 'J3noEiGlUC', 'RBJo16GR4e', 'UKSospics3', 'oYfoLxVpa9', 'Sf4ov5mk6f', 'oehoInl7we', 'GDwoif9H6m', 'd0CowrYpui'
Source: 0.2.z1MB267382625AE.exe.5c10000.5.raw.unpack, uKLxFGWqQk5xT6QMyj.cs High entropy of concatenated method names: 'OelyM5GSY', 'jXb42we54', 'JGuGGNW2Y', 'lM7bWQYqf', 'mHC6nI1XK', 'MOQQjkBem', 'c6x1qDo6mXfHrr32oi', 'AwOYYmKktZYLwJndmJ', 'C3saqvcUw', 'ca72uCgP6'
Drops PE files
Source: C:\Users\user\Desktop\z1MB267382625AE.exe File created: C:\Users\user\AppData\Roaming\pNgFqm.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pNgFqm.exe PID: 5840, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 2750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 2660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 5DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 6DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 6F00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 7F00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 29D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: 49D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 5C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 6C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 6D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 7D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 1500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 2FE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Memory allocated: 2F10000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598735 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598236 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597829 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597711 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597567 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597438 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595171 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599032
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597579
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597454
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597329
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596587
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596480
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596141
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595907
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595782
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594938
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594110
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7582 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 390 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5975 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Window / User API: threadDelayed 2177 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Window / User API: threadDelayed 7650 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Window / User API: threadDelayed 1703
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Window / User API: threadDelayed 8124
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 3284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4228 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 628 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 4272 Thread sleep count: 2177 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 4272 Thread sleep count: 7650 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598236s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597711s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597567s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -597094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -596078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -595062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe TID: 6464 Thread sleep time: -593985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 4220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 4484 Thread sleep count: 1703 > 30
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 4484 Thread sleep count: 8124 > 30
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599407s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599282s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599157s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -599032s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598922s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598688s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598313s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598204s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -598079s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597954s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597829s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597704s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597579s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597454s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597329s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597204s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -597079s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596954s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596829s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596704s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596587s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596480s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596141s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -596016s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595907s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595782s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595657s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595547s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595438s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595188s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -595063s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594938s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594828s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594719s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594594s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe TID: 5208 Thread sleep time: -594110s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598735 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598236 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597829 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597711 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597567 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597438 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595969 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595171 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 595062 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594843 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 599032
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 598079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597579
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597454
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597329
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597204
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 597079
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596954
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596829
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596704
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596587
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596480
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596141
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 596016
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595907
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595782
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595657
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595547
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594938
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594828
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594719
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594594
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Thread delayed: delay time: 594110
Source: z1MB267382625AE.exe, 00000008.00000002.3892585173.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, pNgFqm.exe, 0000000D.00000002.3892476294.00000000011B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe"
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1MB267382625AE.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pNgFqm.exe" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpCA64.tmp" Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Process created: C:\Users\user\Desktop\z1MB267382625AE.exe "C:\Users\user\Desktop\z1MB267382625AE.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNgFqm" /XML "C:\Users\user\AppData\Local\Temp\tmpDFA2.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Process created: C:\Users\user\AppData\Roaming\pNgFqm.exe "C:\Users\user\AppData\Roaming\pNgFqm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Users\user\Desktop\z1MB267382625AE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Users\user\Desktop\z1MB267382625AE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Users\user\AppData\Roaming\pNgFqm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Users\user\AppData\Roaming\pNgFqm.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3894344951.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z1MB267382625AE.exe PID: 2536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\z1MB267382625AE.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\z1MB267382625AE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\pNgFqm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.3891998369.000000000041C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z1MB267382625AE.exe PID: 2536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 8.2.z1MB267382625AE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.38fe280.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.391eca0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.38fe280.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z1MB267382625AE.exe.391eca0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.3891998369.000000000041A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3891998922.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3894760965.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3894344951.00000000031A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3894760965.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3894344951.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1465257282.0000000003759000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z1MB267382625AE.exe PID: 3400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z1MB267382625AE.exe PID: 2536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pNgFqm.exe PID: 5764, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560033 Sample: z1MB267382625AE.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 checkip.dyndns.org 2->52 54 checkip.dyndns.com 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 64 8 other signatures 2->64 8 z1MB267382625AE.exe 7 2->8         started        12 pNgFqm.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 50->62 process4 file5 38 C:\Users\user\AppData\Roaming\pNgFqm.exe, PE32 8->38 dropped 40 C:\Users\user\...\pNgFqm.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpCA64.tmp, XML 8->42 dropped 44 C:\Users\user\...\z1MB267382625AE.exe.log, ASCII 8->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 powershell.exe 23 8->14         started        17 z1MB267382625AE.exe 15 2 8->17         started        20 powershell.exe 22 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 24 pNgFqm.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 74 Loading BitLocker PowerShell Module 14->74 28 WmiPrvSE.exe 14->28         started        30 conhost.exe 14->30         started        46 checkip.dyndns.com 132.226.247.73, 49705, 49708, 49709 UTMEMUS United States 17->46 48 reallyfreegeoip.org 188.114.97.3, 443, 49706, 49707 CLOUDFLARENETUS European Union 17->48 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 36 conhost.exe 26->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/8.46.123.75 false
      		high