Windows Analysis Report
4yOuoT4GFy.exe

Overview

General Information

Sample name: 4yOuoT4GFy.exe
renamed because original name is a hash value
Original sample name: A6D1D3DC7A39BA925EBC17953A7D6B24.exe
Analysis ID: 1561650
MD5: a6d1d3dc7a39ba925ebc17953a7d6b24
SHA1: 33500513781da4c6ef41db97226c0658274d7d35
SHA256: 56e59b7a9a99a1662e1213ed0b9c4278f6e6dcea89068936ea22d318521c9c4c
Tags: AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

AV Detection
barindex
Antivirus detection for URL or domain
Source: skype.onthewifi.com Avira URL Cloud: Label: malware
Source: ronymahmoud.casacam.net Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000008.00000002.4127051817.0000000002A91000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "ronymahmoud.casacam.net,skype.onthewifi.com", "Port": "6606,7707,8808", "Version": "0.5.6D", "MutexName": "jhgafoymglrhbrsdp", "Autorun": "false", "Group": "null"}
Multi AV Scanner detection for domain / URL
Source: skype.onthewifi.com Virustotal: Detection: 12% Perma Link
Source: ronymahmoud.casacam.net Virustotal: Detection: 14% Perma Link
Source: skype.onthewifi.com Virustotal: Detection: 12% Perma Link
Source: ronymahmoud.casacam.net Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe ReversingLabs: Detection: 83%
Multi AV Scanner detection for submitted file
Source: 4yOuoT4GFy.exe ReversingLabs: Detection: 83%
Source: 4yOuoT4GFy.exe Virustotal: Detection: 73% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: 4yOuoT4GFy.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49992 version: TLS 1.2
Source: 4yOuoT4GFy.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: opTA.pdbSHA256o source: 4yOuoT4GFy.exe, StcHfDkbCv.exe.0.dr
Source: Binary string: opTA.pdb source: 4yOuoT4GFy.exe, StcHfDkbCv.exe.0.dr

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 3.145.156.44:6606 -> 192.168.2.4:49737
Source: Network traffic Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 3.145.156.44:6606 -> 192.168.2.4:49737
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 3.145.156.44:6606 -> 192.168.2.4:49737
Source: Network traffic Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 3.145.156.44:6606 -> 192.168.2.4:49737
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ronymahmoud.casacam.net
Source: Malware configuration extractor URLs: skype.onthewifi.com
Yara detected Generic Downloader
Source: Yara match File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49737 -> 3.145.156.44:6606
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 84.201.211.40
Source: unknown TCP traffic detected without corresponding DNS query: 84.201.211.40
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: skype.onthewifi.com
Source: global traffic DNS traffic detected: DNS query: ronymahmoud.casacam.net
Source: MSBuild.exe, 00000008.00000002.4125242253.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 4yOuoT4GFy.exe, 00000000.00000002.1720656894.0000000002571000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4127051817.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, StcHfDkbCv.exe, 00000009.00000002.1765381766.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 4yOuoT4GFy.exe, 00000000.00000002.1725663791.0000000006712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49992 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1765381766.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4127051817.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4yOuoT4GFy.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: StcHfDkbCv.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2800, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.StcHfDkbCv.exe.28226d0.1.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.4yOuoT4GFy.exe.2625000.1.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.StcHfDkbCv.exe.282e3b0.3.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.4yOuoT4GFy.exe.2630ce0.3.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.StcHfDkbCv.exe.28226d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.StcHfDkbCv.exe.282e3b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.1765381766.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 4yOuoT4GFy.exe PID: 7492, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: StcHfDkbCv.exe PID: 8044, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 2800, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
.NET source code contains very large strings
Source: 4yOuoT4GFy.exe, frmWeather.cs Long String: Length: 13824
Source: StcHfDkbCv.exe.0.dr, frmWeather.cs Long String: Length: 13824
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Code function: 0_2_00A6EEE4 0_2_00A6EEE4
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Code function: 0_2_02556F18 0_2_02556F18
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Code function: 0_2_02550040 0_2_02550040
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Code function: 0_2_0255001A 0_2_0255001A
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Code function: 0_2_02556F08 0_2_02556F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0128A278 8_2_0128A278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_01286830 8_2_01286830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_01285F60 8_2_01285F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_01285C18 8_2_01285C18
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Code function: 9_2_00D6EEE4 9_2_00D6EEE4
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Code function: 9_2_04D4CB80 9_2_04D4CB80
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Code function: 9_2_04D4CB70 9_2_04D4CB70
Sample file is different than original file name gathered from version info
Source: 4yOuoT4GFy.exe, 00000000.00000002.1721568574.000000000365B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1720656894.00000000026DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBeerPubProject.dll> vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1726676480.0000000006ED0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.exe" vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1726285393.0000000006C2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1712612111.00000000007FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000000.1656500979.000000000011E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameopTA.exe< vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1720656894.000000000269C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBeerPubProject.dll> vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe, 00000000.00000002.1724729490.0000000004B50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBeerPubProject.dll> vs 4yOuoT4GFy.exe
Source: 4yOuoT4GFy.exe Binary or memory string: OriginalFilenameopTA.exe< vs 4yOuoT4GFy.exe
Uses 32bit PE files
Source: 4yOuoT4GFy.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.StcHfDkbCv.exe.28226d0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.4yOuoT4GFy.exe.2625000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.StcHfDkbCv.exe.282e3b0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.4yOuoT4GFy.exe.2630ce0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.StcHfDkbCv.exe.28226d0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.StcHfDkbCv.exe.282e3b0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.1765381766.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 4yOuoT4GFy.exe PID: 7492, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: StcHfDkbCv.exe PID: 8044, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: MSBuild.exe PID: 2800, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 4yOuoT4GFy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: StcHfDkbCv.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, Settings.cs Base64 encoded string: 'sZ+gP4yrz0ZarAvGWvPcKARrH48XybZNSEafzswQr3tp12ZmBONnb17qqsyLkmcemREVEbm1XV9Z3FwT6lqYUQ==', 'T/eH3VZ/THy3t7r6yCu6cFfcpeC5HUK4zX2ZKbzcS/uDlArz1Y0xeBvfcbyPlr0Okz9ndURhjcg7nIgtXJJsa8N9e3t9JLi76+0aBjSoj5XpWMxxLS8BUVXfg/HDbHG5', 'jLSgAGWSuZDurwhS1FULswDUMmRr37har4Cqpquuzgtxy0eDWazRPCwWAr12P9jU5thG6GsPMTwFQCbi4Ucz0Q==', 'nn32aYwPOlUsJ7FNlf5TfQcC05k1CkJNzUAb43GsAwbgM5SrWyVkM5TXCWsnmxlGgjKYObyenWltthQgZ1dzA9p2OsUdKYAVDAYxb8oPh0M=', 'O1DanMOituSOiMjbVl1Tp+9IZXuH3XG1tcmbuFuwv0AJEdXvs+EEp+XKjhdbb0YMBZuwFdHq4JF3KEVgIP9GjnAHTz62nyML/vI4rZ/gJZmkQ2ixs4XSQfL1TVhsfBlFKqNy2nUpnJhtj4h2OroNqAwtdCeWiUxDRmKCKLwhmAiOlpiUeaLSG+A8JP46kvaBHlF1AzMJoN6pkCsRwU3oUydFKhhqBABpXfyB3tVIbGhBT3NKNrPAXZZY5zjLbpMVD/30JQjaKCZ5olj4b5FfkPdBI6JRPJ7NeBQxEPq4ZvHJmeDQpTu1jFXvbhGglqyYO5F5QnzFEBRf8py/VNaYaMKbgQcgsmqnmaykvs9ykrIINjTosZUiMmF/yu2h4Yni1rV97+DRRHGmdGbqE+Q9a1TxEGiJKtb5Igtx/9ZBbf+hfOMeJ21H+xBHKSNn2tX39W8k3YlyDhFA0ZXB/PfE9B9zPk3jovQ04mB6q4w0lbzCtm7UlCzGHJYD5BcucZnwUxGWbQPmSSsezUD5ulzsIaA1QF+DOHT/Om/6d9RA/MXES6ma9r12GSwZaMmfE37ewzrXqEUy5dEJ/hxHrXa6//KoYabEodP/KPVwR0DvcuFI43AtzYRWb5iESwbBL64OblsF5WuVHeaNu3smZwsh/oErlOk4BoClht4JrMjxQR7BdhobKrQrF+TuFrNEmeOGxtYD1eC0THHYfPPp7xfInqZpUPoKbN1aUKdPFvS4Qx7cwRaHgd5vSMQY36OKAPZ8cc7FFD/GDbjHdtHVZ/3mc0Dahyg/QSiiUw8PSXvFjtpsyub6RIRQKgHQbEzIAAxVadxqIpnqaoRWHdp9itXH5k6e7+KoF7yaJ1cmh64OAkfDXsAhL2oYdPc5UeOwP6WufTxneqFWsr1ensCb6RrIvoBkgxRv85upsBbEpLnEJRJH4z1zUiB7vT+haonlGzR03qAac+7VIoCGRyOY3IF+sA==', 'whDmrX3x3G/1cFu87Rzxytbg+WZl8eUflUxb00t2etimBOqaozI1kgz8vUSjmFlD6+TQfbvI7kWBW+h19IIjMA==', 'rJI49KgTSdlkO1Omqf6W4HTEzWk/fvw+7n5IvjCeHME0S2I+eaL217NHVhbk2uzn7iclcZ5IH7hLUXP0THHa8g==', 'mDtQQPQZ5XZMtuBzf0AjtZbAIvP2Q4p4LJw+cep/cMWgxPp/zNoWsMhTrK+EHZjau367C9E23jBWUYjq0EGEHQ==', 'xUWyVFwOElPFrUrOBBeoyTS2ldf3tl/BFrXwhk8R+7zdiQtaViI3oPXmvTnw7AQZJcH4yWEeJvLhgvg6HhWS2Q=='
Source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, Settings.cs Base64 encoded string: 'sZ+gP4yrz0ZarAvGWvPcKARrH48XybZNSEafzswQr3tp12ZmBONnb17qqsyLkmcemREVEbm1XV9Z3FwT6lqYUQ==', 'T/eH3VZ/THy3t7r6yCu6cFfcpeC5HUK4zX2ZKbzcS/uDlArz1Y0xeBvfcbyPlr0Okz9ndURhjcg7nIgtXJJsa8N9e3t9JLi76+0aBjSoj5XpWMxxLS8BUVXfg/HDbHG5', 'jLSgAGWSuZDurwhS1FULswDUMmRr37har4Cqpquuzgtxy0eDWazRPCwWAr12P9jU5thG6GsPMTwFQCbi4Ucz0Q==', 'nn32aYwPOlUsJ7FNlf5TfQcC05k1CkJNzUAb43GsAwbgM5SrWyVkM5TXCWsnmxlGgjKYObyenWltthQgZ1dzA9p2OsUdKYAVDAYxb8oPh0M=', 'O1DanMOituSOiMjbVl1Tp+9IZXuH3XG1tcmbuFuwv0AJEdXvs+EEp+XKjhdbb0YMBZuwFdHq4JF3KEVgIP9GjnAHTz62nyML/vI4rZ/gJZmkQ2ixs4XSQfL1TVhsfBlFKqNy2nUpnJhtj4h2OroNqAwtdCeWiUxDRmKCKLwhmAiOlpiUeaLSG+A8JP46kvaBHlF1AzMJoN6pkCsRwU3oUydFKhhqBABpXfyB3tVIbGhBT3NKNrPAXZZY5zjLbpMVD/30JQjaKCZ5olj4b5FfkPdBI6JRPJ7NeBQxEPq4ZvHJmeDQpTu1jFXvbhGglqyYO5F5QnzFEBRf8py/VNaYaMKbgQcgsmqnmaykvs9ykrIINjTosZUiMmF/yu2h4Yni1rV97+DRRHGmdGbqE+Q9a1TxEGiJKtb5Igtx/9ZBbf+hfOMeJ21H+xBHKSNn2tX39W8k3YlyDhFA0ZXB/PfE9B9zPk3jovQ04mB6q4w0lbzCtm7UlCzGHJYD5BcucZnwUxGWbQPmSSsezUD5ulzsIaA1QF+DOHT/Om/6d9RA/MXES6ma9r12GSwZaMmfE37ewzrXqEUy5dEJ/hxHrXa6//KoYabEodP/KPVwR0DvcuFI43AtzYRWb5iESwbBL64OblsF5WuVHeaNu3smZwsh/oErlOk4BoClht4JrMjxQR7BdhobKrQrF+TuFrNEmeOGxtYD1eC0THHYfPPp7xfInqZpUPoKbN1aUKdPFvS4Qx7cwRaHgd5vSMQY36OKAPZ8cc7FFD/GDbjHdtHVZ/3mc0Dahyg/QSiiUw8PSXvFjtpsyub6RIRQKgHQbEzIAAxVadxqIpnqaoRWHdp9itXH5k6e7+KoF7yaJ1cmh64OAkfDXsAhL2oYdPc5UeOwP6WufTxneqFWsr1ensCb6RrIvoBkgxRv85upsBbEpLnEJRJH4z1zUiB7vT+haonlGzR03qAac+7VIoCGRyOY3IF+sA==', 'whDmrX3x3G/1cFu87Rzxytbg+WZl8eUflUxb00t2etimBOqaozI1kgz8vUSjmFlD6+TQfbvI7kWBW+h19IIjMA==', 'rJI49KgTSdlkO1Omqf6W4HTEzWk/fvw+7n5IvjCeHME0S2I+eaL217NHVhbk2uzn7iclcZ5IH7hLUXP0THHa8g==', 'mDtQQPQZ5XZMtuBzf0AjtZbAIvP2Q4p4LJw+cep/cMWgxPp/zNoWsMhTrK+EHZjau367C9E23jBWUYjq0EGEHQ==', 'xUWyVFwOElPFrUrOBBeoyTS2ldf3tl/BFrXwhk8R+7zdiQtaViI3oPXmvTnw7AQZJcH4yWEeJvLhgvg6HhWS2Q=='
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, tLxkIT6mTqipms91mk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, tLxkIT6mTqipms91mk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, tLxkIT6mTqipms91mk.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: _0020.SetAccessControl
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: _0020.AddAccessRule
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: _0020.SetAccessControl
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: _0020.AddAccessRule
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: _0020.SetAccessControl
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, lAo4hvM4vb6k6gjoDH.cs Security API names: _0020.AddAccessRule
Source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/18@2/1
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe File created: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\jhgafoymglrhbrsdp
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Mutant created: \Sessions\1\BaseNamedObjects\unuGDAZRRtPluxvEGPKBsaO
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe File created: C:\Users\user\AppData\Local\Temp\tmp1109.tmp Jump to behavior
Source: 4yOuoT4GFy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4yOuoT4GFy.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 4yOuoT4GFy.exe ReversingLabs: Detection: 83%
Source: 4yOuoT4GFy.exe Virustotal: Detection: 73%
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe File read: C:\Users\user\Desktop\4yOuoT4GFy.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4yOuoT4GFy.exe "C:\Users\user\Desktop\4yOuoT4GFy.exe"
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4yOuoT4GFy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\StcHfDkbCv.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StcHfDkbCv" /XML "C:\Users\user\AppData\Local\Temp\tmp1109.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe C:\Users\user\AppData\Roaming\StcHfDkbCv.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StcHfDkbCv" /XML "C:\Users\user\AppData\Local\Temp\tmp25D9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4yOuoT4GFy.exe" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\StcHfDkbCv.exe" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StcHfDkbCv" /XML "C:\Users\user\AppData\Local\Temp\tmp1109.tmp" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StcHfDkbCv" /XML "C:\Users\user\AppData\Local\Temp\tmp25D9.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 4yOuoT4GFy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 4yOuoT4GFy.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 4yOuoT4GFy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: opTA.pdbSHA256o source: 4yOuoT4GFy.exe, StcHfDkbCv.exe.0.dr
Source: Binary string: opTA.pdb source: 4yOuoT4GFy.exe, StcHfDkbCv.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.4yOuoT4GFy.exe.2709734.2.raw.unpack, Pub.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, lAo4hvM4vb6k6gjoDH.cs .Net Code: KOdGH54x7R System.Reflection.Assembly.Load(byte[])
Source: 0.2.4yOuoT4GFy.exe.4b50000.6.raw.unpack, Pub.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, lAo4hvM4vb6k6gjoDH.cs .Net Code: KOdGH54x7R System.Reflection.Assembly.Load(byte[])
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, lAo4hvM4vb6k6gjoDH.cs .Net Code: KOdGH54x7R System.Reflection.Assembly.Load(byte[])
Source: 0.2.4yOuoT4GFy.exe.26cee34.0.raw.unpack, Pub.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 9.2.StcHfDkbCv.exe.29097c4.0.raw.unpack, Pub.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Code function: 0_2_00A65D72 push esp; iretd 0_2_00A65D81
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Code function: 9_2_00D65D73 push esp; iretd 9_2_00D65D81
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Code function: 9_2_04D458A8 pushfd ; ret 9_2_04D458A9
Source: 4yOuoT4GFy.exe Static PE information: section name: .text entropy: 7.668386799469588
Source: StcHfDkbCv.exe.0.dr Static PE information: section name: .text entropy: 7.668386799469588
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, lAo4hvM4vb6k6gjoDH.cs High entropy of concatenated method names: 'AvXQKlAMTf', 'QatQaEprwV', 'wTkQ5kCHEh', 'KS5QmKsnjE', 'XqcQ4J25ba', 'haxQ3f3rcn', 'KpxQ0qgxIt', 'ca5QMVRdBn', 'glVQfq5I3X', 'eKRQEFM9oo'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, iKCKwk87KxxprTOYDZ1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VFXDnSBSA3', 'pBFDZN73MO', 'OTLDBpOiFX', 'mmRDPVX3n0', 'MHXDsVpW7x', 'LIJDcHDEkd', 'JaZDR0QGGf'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, V5VmFx1usO1LQBdNhc.cs High entropy of concatenated method names: 'oSgDm3jU1O', 'jaCD4u1ucU', 'PIAD3UICRe', 'zuZD0sinM7', 'G33DYLuIBR', 'OgRDMdfTYL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, pDt9nHmHiofPihRN2C.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a3akVmNLiK', 'DEik1vDfbv', 'cubkzpfcnR', 'Gg0Q7kNNCV', 'y8uQ85YtjB', 'VrKQkr6y86', 'OntQQB7eDO', 'Fxywpnk8WhhIbWtGFUs'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, YSK5xQRbF4U503Q8rC.cs High entropy of concatenated method names: 'OftWEVJDZD', 'lvuWwkGAF2', 'ToString', 'KscWakI2HO', 'HygW5TE18g', 'PMjWmGvPrQ', 'TLjW44bj1M', 'x5RW3bjXca', 'HLwW0LCCFU', 'tFAWMZWwsd'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, tLxkIT6mTqipms91mk.cs High entropy of concatenated method names: 'v805P1iR1q', 'aUL5s78UjD', 'NRq5cQRfPq', 'uVO5R1ydGH', 'RKD5OwG1bv', 'ed65rw3vna', 'OeH5uuNeXt', 'o7F5oPqicF', 'vg65VaRkBo', 'Ykv51altmj'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, LQnwKHLBAjq3omwY3D.cs High entropy of concatenated method names: 'S0M3KWXLkJ', 'eC835gtDvU', 'z7K34eN8dH', 'M2O30s3bCW', 'JYl3MdXa5X', 'foo4O1x69O', 'GSv4rJndLn', 'EG84uuPGPR', 'OlA4oXY5v1', 'u5m4VMwZo8'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, wX0THu8QELgeS66B78c.cs High entropy of concatenated method names: 'GZNl1cGruy', 'tjBlzA9r2x', 'DMnJ7Xddwm', 'WY403q3TyanGSOOlXVL', 'Doj6r033rTonsAmuTl7', 'vPlAMu3p8ovYDhRAyHy', 'ukiYaW3sEx4FhBbL5HC'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, sNq39XuiXdrIL3xAMZ.cs High entropy of concatenated method names: 'rDCYNiWdJT', 'JtaYWRnjsJ', 'veCYYtlO0M', 'arKYlY6tA2', 'TkDYguL8vD', 'BsmYTp14Kt', 'Dispose', 'LMvvaXgb3r', 'fmlv5NNpSL', 'e3bvmBtB6b'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, DdrD8QiDVAC9B0bhSe.cs High entropy of concatenated method names: 'Bqe0aeZR1y', 'VD50mt8QFf', 'KE1031Y7VA', 'Nni31frHON', 'yOA3zJVBuG', 'QbS07T1dln', 'RCf08eYya6', 'Slp0kZAED2', 'abG0Q5Is6m', 'k3h0GpNUBX'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, lfuoPVVkfQmyvKqAYy.cs High entropy of concatenated method names: 'L2tYLUnEK1', 'YlXYh4wQU9', 'a3PYbs7Ed0', 'zW6YewgPiq', 'Ja1Yyf57qu', 'BiHYjbX9OF', 'CWyYiUiAim', 'PnFYS55eKs', 'X0dYprjgMQ', 'zpnY2Epx0D'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, e5vZwIAlFMIp8hWqLF.cs High entropy of concatenated method names: 'gPF49cdPm9', 'jt24XTweuG', 'N6pmbpf0eI', 'DAYmeqjhl4', 'YM6myujRf2', 'dy0mjaJbRf', 'Cp5miwUUcd', 'UIHmSwWx31', 'UnBmpyeP1l', 'P8tm2YQ5Uy'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, dbSJ6kkvGxIN5F4S66.cs High entropy of concatenated method names: 'nGQHXJTN9', 'MJdtGmd0S', 'VfeFNyPNy', 'aZOX2rZn7', 'xsZdDDB8u', 'DkcAEnHGm', 'GslB8GVFgVPj0QcQ68', 'i4rBRGZnEtUGd6vwEY', 'ADyvk7ksC', 'nsdDHBUSm'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, jUf5anPVY0txVbFl2o.cs High entropy of concatenated method names: 'OkMN2fIEvn', 'q8nNZ12LBB', 'Qg4NPG21r0', 'py6Nsfqqa2', 'd1INhZ4qK8', 'cWTNbuil9a', 'GrVNenBExL', 'twMNytAoSi', 'nVWNj7PwTD', 'TgBNiCqXWV'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, lMhAnHruvgBfTCbcRh.cs High entropy of concatenated method names: 'y0MWoS0s9P', 'LKvW1Hbh6S', 'i1Zv7PbPKg', 'Qu2v8ueiVf', 'GYaWnbYpoM', 'I4MWZW3gtm', 'ba7WBF712A', 'M86WPf5iSL', 'CXnWsgfHF3', 'ya8WclSPh4'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, InCtC65afvQCY47vjJ.cs High entropy of concatenated method names: 'Dispose', 'ErI8VL3xAM', 'rFOkhC2E3j', 'Wrg9s5teAt', 'Pb581w9YMZ', 'mXQ8zU0HHf', 'ProcessDialogKey', 'fOfk7fuoPV', 'cfQk8myvKq', 'FYykkr5VmF'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, mubF09GaO4GPVqwQwH.cs High entropy of concatenated method names: 'Dll80LxkIT', 'gTq8Mipms9', 'h1W8ErTN4K', 'HeK8wKK5vZ', 'HWq8NLFSQn', 'nKH8IBAjq3', 'UWp4vN2xI0m878cv5U', 's1fHTZOaUhcV35Y4Ze', 'L5D882VWC3', 'v6B8QCIlGq'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, Rnec7UpUy4Z3JlcAOl.cs High entropy of concatenated method names: 'BVS0CCYUtD', 'wdT0UPPnBb', 'UB50HFcuan', 'D2W0tLd5fM', 'hU009pQWJa', 'P0P0FZLat2', 'VM40X8uZpW', 'LDQ06QVyN1', 'tYh0d7vwmQ', 'tLZ0AJ6YVf'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, NCgsg3BleELvsW3MXQ.cs High entropy of concatenated method names: 'Tauq6G6wKr', 'DNSqdBS1j7', 'yHsqLS4YtC', 'sn0qhT21LS', 'kItqerjvk3', 'P4Lqyjhtis', 'l0Uqioe58b', 'aXJqSMVyFF', 'zGlq2lymKZ', 'coBqnADi3v'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, oYkmZt88LXyY6Xsq2PA.cs High entropy of concatenated method names: 'RhID1KhlrF', 'DBvDzkTD7H', 'gu3l7Vgk8G', 'V37l8q5Pu4', 'gIClkSkbVR', 'IxClQwBs3Z', 'wWDlGJ3bjW', 'zqXlKwWXII', 'qoQlajqpmy', 'OE3l51nMKF'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, F6xTP4d1WrTN4KheKK.cs High entropy of concatenated method names: 'EnwmtD1AU7', 'xMOmFhIc8W', 'C75m69lAnR', 'PHKmd37jip', 'nP7mNimrrW', 'sxGmIXvs5m', 'o60mWRelwH', 'FYQmvX0LhL', 'yp2mYvJk7l', 'jT5mD4a1sH'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, RayEShzeo8UDhBjgnW.cs High entropy of concatenated method names: 'B4YDFtIUA0', 'ETVD61124O', 'z31DdUP29x', 's5DDLGvQtF', 'cdcDhFPjLY', 'VXjDeNscBo', 'nqHDytvPaY', 'xvKDTDpkXB', 'OF4DCo0t8q', 'lqgDUBG14Q'
Source: 0.2.4yOuoT4GFy.exe.373caf0.4.raw.unpack, m8UGda8G4dfnrtBMk3S.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xAyJYkRpfS', 'snAJDPU5wk', 'tW7JlaZqrV', 'WRUJJoVZRE', 'wn9JglY4s9', 'LEdJxT8TFR', 'P6AJTEYT04'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, lAo4hvM4vb6k6gjoDH.cs High entropy of concatenated method names: 'AvXQKlAMTf', 'QatQaEprwV', 'wTkQ5kCHEh', 'KS5QmKsnjE', 'XqcQ4J25ba', 'haxQ3f3rcn', 'KpxQ0qgxIt', 'ca5QMVRdBn', 'glVQfq5I3X', 'eKRQEFM9oo'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, iKCKwk87KxxprTOYDZ1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VFXDnSBSA3', 'pBFDZN73MO', 'OTLDBpOiFX', 'mmRDPVX3n0', 'MHXDsVpW7x', 'LIJDcHDEkd', 'JaZDR0QGGf'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, V5VmFx1usO1LQBdNhc.cs High entropy of concatenated method names: 'oSgDm3jU1O', 'jaCD4u1ucU', 'PIAD3UICRe', 'zuZD0sinM7', 'G33DYLuIBR', 'OgRDMdfTYL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, pDt9nHmHiofPihRN2C.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a3akVmNLiK', 'DEik1vDfbv', 'cubkzpfcnR', 'Gg0Q7kNNCV', 'y8uQ85YtjB', 'VrKQkr6y86', 'OntQQB7eDO', 'Fxywpnk8WhhIbWtGFUs'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, YSK5xQRbF4U503Q8rC.cs High entropy of concatenated method names: 'OftWEVJDZD', 'lvuWwkGAF2', 'ToString', 'KscWakI2HO', 'HygW5TE18g', 'PMjWmGvPrQ', 'TLjW44bj1M', 'x5RW3bjXca', 'HLwW0LCCFU', 'tFAWMZWwsd'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, tLxkIT6mTqipms91mk.cs High entropy of concatenated method names: 'v805P1iR1q', 'aUL5s78UjD', 'NRq5cQRfPq', 'uVO5R1ydGH', 'RKD5OwG1bv', 'ed65rw3vna', 'OeH5uuNeXt', 'o7F5oPqicF', 'vg65VaRkBo', 'Ykv51altmj'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, LQnwKHLBAjq3omwY3D.cs High entropy of concatenated method names: 'S0M3KWXLkJ', 'eC835gtDvU', 'z7K34eN8dH', 'M2O30s3bCW', 'JYl3MdXa5X', 'foo4O1x69O', 'GSv4rJndLn', 'EG84uuPGPR', 'OlA4oXY5v1', 'u5m4VMwZo8'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, wX0THu8QELgeS66B78c.cs High entropy of concatenated method names: 'GZNl1cGruy', 'tjBlzA9r2x', 'DMnJ7Xddwm', 'WY403q3TyanGSOOlXVL', 'Doj6r033rTonsAmuTl7', 'vPlAMu3p8ovYDhRAyHy', 'ukiYaW3sEx4FhBbL5HC'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, sNq39XuiXdrIL3xAMZ.cs High entropy of concatenated method names: 'rDCYNiWdJT', 'JtaYWRnjsJ', 'veCYYtlO0M', 'arKYlY6tA2', 'TkDYguL8vD', 'BsmYTp14Kt', 'Dispose', 'LMvvaXgb3r', 'fmlv5NNpSL', 'e3bvmBtB6b'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, DdrD8QiDVAC9B0bhSe.cs High entropy of concatenated method names: 'Bqe0aeZR1y', 'VD50mt8QFf', 'KE1031Y7VA', 'Nni31frHON', 'yOA3zJVBuG', 'QbS07T1dln', 'RCf08eYya6', 'Slp0kZAED2', 'abG0Q5Is6m', 'k3h0GpNUBX'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, lfuoPVVkfQmyvKqAYy.cs High entropy of concatenated method names: 'L2tYLUnEK1', 'YlXYh4wQU9', 'a3PYbs7Ed0', 'zW6YewgPiq', 'Ja1Yyf57qu', 'BiHYjbX9OF', 'CWyYiUiAim', 'PnFYS55eKs', 'X0dYprjgMQ', 'zpnY2Epx0D'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, e5vZwIAlFMIp8hWqLF.cs High entropy of concatenated method names: 'gPF49cdPm9', 'jt24XTweuG', 'N6pmbpf0eI', 'DAYmeqjhl4', 'YM6myujRf2', 'dy0mjaJbRf', 'Cp5miwUUcd', 'UIHmSwWx31', 'UnBmpyeP1l', 'P8tm2YQ5Uy'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, dbSJ6kkvGxIN5F4S66.cs High entropy of concatenated method names: 'nGQHXJTN9', 'MJdtGmd0S', 'VfeFNyPNy', 'aZOX2rZn7', 'xsZdDDB8u', 'DkcAEnHGm', 'GslB8GVFgVPj0QcQ68', 'i4rBRGZnEtUGd6vwEY', 'ADyvk7ksC', 'nsdDHBUSm'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, jUf5anPVY0txVbFl2o.cs High entropy of concatenated method names: 'OkMN2fIEvn', 'q8nNZ12LBB', 'Qg4NPG21r0', 'py6Nsfqqa2', 'd1INhZ4qK8', 'cWTNbuil9a', 'GrVNenBExL', 'twMNytAoSi', 'nVWNj7PwTD', 'TgBNiCqXWV'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, lMhAnHruvgBfTCbcRh.cs High entropy of concatenated method names: 'y0MWoS0s9P', 'LKvW1Hbh6S', 'i1Zv7PbPKg', 'Qu2v8ueiVf', 'GYaWnbYpoM', 'I4MWZW3gtm', 'ba7WBF712A', 'M86WPf5iSL', 'CXnWsgfHF3', 'ya8WclSPh4'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, InCtC65afvQCY47vjJ.cs High entropy of concatenated method names: 'Dispose', 'ErI8VL3xAM', 'rFOkhC2E3j', 'Wrg9s5teAt', 'Pb581w9YMZ', 'mXQ8zU0HHf', 'ProcessDialogKey', 'fOfk7fuoPV', 'cfQk8myvKq', 'FYykkr5VmF'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, mubF09GaO4GPVqwQwH.cs High entropy of concatenated method names: 'Dll80LxkIT', 'gTq8Mipms9', 'h1W8ErTN4K', 'HeK8wKK5vZ', 'HWq8NLFSQn', 'nKH8IBAjq3', 'UWp4vN2xI0m878cv5U', 's1fHTZOaUhcV35Y4Ze', 'L5D882VWC3', 'v6B8QCIlGq'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, Rnec7UpUy4Z3JlcAOl.cs High entropy of concatenated method names: 'BVS0CCYUtD', 'wdT0UPPnBb', 'UB50HFcuan', 'D2W0tLd5fM', 'hU009pQWJa', 'P0P0FZLat2', 'VM40X8uZpW', 'LDQ06QVyN1', 'tYh0d7vwmQ', 'tLZ0AJ6YVf'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, NCgsg3BleELvsW3MXQ.cs High entropy of concatenated method names: 'Tauq6G6wKr', 'DNSqdBS1j7', 'yHsqLS4YtC', 'sn0qhT21LS', 'kItqerjvk3', 'P4Lqyjhtis', 'l0Uqioe58b', 'aXJqSMVyFF', 'zGlq2lymKZ', 'coBqnADi3v'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, oYkmZt88LXyY6Xsq2PA.cs High entropy of concatenated method names: 'RhID1KhlrF', 'DBvDzkTD7H', 'gu3l7Vgk8G', 'V37l8q5Pu4', 'gIClkSkbVR', 'IxClQwBs3Z', 'wWDlGJ3bjW', 'zqXlKwWXII', 'qoQlajqpmy', 'OE3l51nMKF'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, F6xTP4d1WrTN4KheKK.cs High entropy of concatenated method names: 'EnwmtD1AU7', 'xMOmFhIc8W', 'C75m69lAnR', 'PHKmd37jip', 'nP7mNimrrW', 'sxGmIXvs5m', 'o60mWRelwH', 'FYQmvX0LhL', 'yp2mYvJk7l', 'jT5mD4a1sH'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, RayEShzeo8UDhBjgnW.cs High entropy of concatenated method names: 'B4YDFtIUA0', 'ETVD61124O', 'z31DdUP29x', 's5DDLGvQtF', 'cdcDhFPjLY', 'VXjDeNscBo', 'nqHDytvPaY', 'xvKDTDpkXB', 'OF4DCo0t8q', 'lqgDUBG14Q'
Source: 0.2.4yOuoT4GFy.exe.36ecad0.5.raw.unpack, m8UGda8G4dfnrtBMk3S.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xAyJYkRpfS', 'snAJDPU5wk', 'tW7JlaZqrV', 'WRUJJoVZRE', 'wn9JglY4s9', 'LEdJxT8TFR', 'P6AJTEYT04'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, lAo4hvM4vb6k6gjoDH.cs High entropy of concatenated method names: 'AvXQKlAMTf', 'QatQaEprwV', 'wTkQ5kCHEh', 'KS5QmKsnjE', 'XqcQ4J25ba', 'haxQ3f3rcn', 'KpxQ0qgxIt', 'ca5QMVRdBn', 'glVQfq5I3X', 'eKRQEFM9oo'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, iKCKwk87KxxprTOYDZ1.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VFXDnSBSA3', 'pBFDZN73MO', 'OTLDBpOiFX', 'mmRDPVX3n0', 'MHXDsVpW7x', 'LIJDcHDEkd', 'JaZDR0QGGf'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, V5VmFx1usO1LQBdNhc.cs High entropy of concatenated method names: 'oSgDm3jU1O', 'jaCD4u1ucU', 'PIAD3UICRe', 'zuZD0sinM7', 'G33DYLuIBR', 'OgRDMdfTYL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, pDt9nHmHiofPihRN2C.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'a3akVmNLiK', 'DEik1vDfbv', 'cubkzpfcnR', 'Gg0Q7kNNCV', 'y8uQ85YtjB', 'VrKQkr6y86', 'OntQQB7eDO', 'Fxywpnk8WhhIbWtGFUs'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, YSK5xQRbF4U503Q8rC.cs High entropy of concatenated method names: 'OftWEVJDZD', 'lvuWwkGAF2', 'ToString', 'KscWakI2HO', 'HygW5TE18g', 'PMjWmGvPrQ', 'TLjW44bj1M', 'x5RW3bjXca', 'HLwW0LCCFU', 'tFAWMZWwsd'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, tLxkIT6mTqipms91mk.cs High entropy of concatenated method names: 'v805P1iR1q', 'aUL5s78UjD', 'NRq5cQRfPq', 'uVO5R1ydGH', 'RKD5OwG1bv', 'ed65rw3vna', 'OeH5uuNeXt', 'o7F5oPqicF', 'vg65VaRkBo', 'Ykv51altmj'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, LQnwKHLBAjq3omwY3D.cs High entropy of concatenated method names: 'S0M3KWXLkJ', 'eC835gtDvU', 'z7K34eN8dH', 'M2O30s3bCW', 'JYl3MdXa5X', 'foo4O1x69O', 'GSv4rJndLn', 'EG84uuPGPR', 'OlA4oXY5v1', 'u5m4VMwZo8'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, wX0THu8QELgeS66B78c.cs High entropy of concatenated method names: 'GZNl1cGruy', 'tjBlzA9r2x', 'DMnJ7Xddwm', 'WY403q3TyanGSOOlXVL', 'Doj6r033rTonsAmuTl7', 'vPlAMu3p8ovYDhRAyHy', 'ukiYaW3sEx4FhBbL5HC'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, sNq39XuiXdrIL3xAMZ.cs High entropy of concatenated method names: 'rDCYNiWdJT', 'JtaYWRnjsJ', 'veCYYtlO0M', 'arKYlY6tA2', 'TkDYguL8vD', 'BsmYTp14Kt', 'Dispose', 'LMvvaXgb3r', 'fmlv5NNpSL', 'e3bvmBtB6b'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, DdrD8QiDVAC9B0bhSe.cs High entropy of concatenated method names: 'Bqe0aeZR1y', 'VD50mt8QFf', 'KE1031Y7VA', 'Nni31frHON', 'yOA3zJVBuG', 'QbS07T1dln', 'RCf08eYya6', 'Slp0kZAED2', 'abG0Q5Is6m', 'k3h0GpNUBX'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, lfuoPVVkfQmyvKqAYy.cs High entropy of concatenated method names: 'L2tYLUnEK1', 'YlXYh4wQU9', 'a3PYbs7Ed0', 'zW6YewgPiq', 'Ja1Yyf57qu', 'BiHYjbX9OF', 'CWyYiUiAim', 'PnFYS55eKs', 'X0dYprjgMQ', 'zpnY2Epx0D'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, e5vZwIAlFMIp8hWqLF.cs High entropy of concatenated method names: 'gPF49cdPm9', 'jt24XTweuG', 'N6pmbpf0eI', 'DAYmeqjhl4', 'YM6myujRf2', 'dy0mjaJbRf', 'Cp5miwUUcd', 'UIHmSwWx31', 'UnBmpyeP1l', 'P8tm2YQ5Uy'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, dbSJ6kkvGxIN5F4S66.cs High entropy of concatenated method names: 'nGQHXJTN9', 'MJdtGmd0S', 'VfeFNyPNy', 'aZOX2rZn7', 'xsZdDDB8u', 'DkcAEnHGm', 'GslB8GVFgVPj0QcQ68', 'i4rBRGZnEtUGd6vwEY', 'ADyvk7ksC', 'nsdDHBUSm'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, jUf5anPVY0txVbFl2o.cs High entropy of concatenated method names: 'OkMN2fIEvn', 'q8nNZ12LBB', 'Qg4NPG21r0', 'py6Nsfqqa2', 'd1INhZ4qK8', 'cWTNbuil9a', 'GrVNenBExL', 'twMNytAoSi', 'nVWNj7PwTD', 'TgBNiCqXWV'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, lMhAnHruvgBfTCbcRh.cs High entropy of concatenated method names: 'y0MWoS0s9P', 'LKvW1Hbh6S', 'i1Zv7PbPKg', 'Qu2v8ueiVf', 'GYaWnbYpoM', 'I4MWZW3gtm', 'ba7WBF712A', 'M86WPf5iSL', 'CXnWsgfHF3', 'ya8WclSPh4'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, InCtC65afvQCY47vjJ.cs High entropy of concatenated method names: 'Dispose', 'ErI8VL3xAM', 'rFOkhC2E3j', 'Wrg9s5teAt', 'Pb581w9YMZ', 'mXQ8zU0HHf', 'ProcessDialogKey', 'fOfk7fuoPV', 'cfQk8myvKq', 'FYykkr5VmF'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, mubF09GaO4GPVqwQwH.cs High entropy of concatenated method names: 'Dll80LxkIT', 'gTq8Mipms9', 'h1W8ErTN4K', 'HeK8wKK5vZ', 'HWq8NLFSQn', 'nKH8IBAjq3', 'UWp4vN2xI0m878cv5U', 's1fHTZOaUhcV35Y4Ze', 'L5D882VWC3', 'v6B8QCIlGq'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, Rnec7UpUy4Z3JlcAOl.cs High entropy of concatenated method names: 'BVS0CCYUtD', 'wdT0UPPnBb', 'UB50HFcuan', 'D2W0tLd5fM', 'hU009pQWJa', 'P0P0FZLat2', 'VM40X8uZpW', 'LDQ06QVyN1', 'tYh0d7vwmQ', 'tLZ0AJ6YVf'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, NCgsg3BleELvsW3MXQ.cs High entropy of concatenated method names: 'Tauq6G6wKr', 'DNSqdBS1j7', 'yHsqLS4YtC', 'sn0qhT21LS', 'kItqerjvk3', 'P4Lqyjhtis', 'l0Uqioe58b', 'aXJqSMVyFF', 'zGlq2lymKZ', 'coBqnADi3v'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, oYkmZt88LXyY6Xsq2PA.cs High entropy of concatenated method names: 'RhID1KhlrF', 'DBvDzkTD7H', 'gu3l7Vgk8G', 'V37l8q5Pu4', 'gIClkSkbVR', 'IxClQwBs3Z', 'wWDlGJ3bjW', 'zqXlKwWXII', 'qoQlajqpmy', 'OE3l51nMKF'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, F6xTP4d1WrTN4KheKK.cs High entropy of concatenated method names: 'EnwmtD1AU7', 'xMOmFhIc8W', 'C75m69lAnR', 'PHKmd37jip', 'nP7mNimrrW', 'sxGmIXvs5m', 'o60mWRelwH', 'FYQmvX0LhL', 'yp2mYvJk7l', 'jT5mD4a1sH'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, RayEShzeo8UDhBjgnW.cs High entropy of concatenated method names: 'B4YDFtIUA0', 'ETVD61124O', 'z31DdUP29x', 's5DDLGvQtF', 'cdcDhFPjLY', 'VXjDeNscBo', 'nqHDytvPaY', 'xvKDTDpkXB', 'OF4DCo0t8q', 'lqgDUBG14Q'
Source: 0.2.4yOuoT4GFy.exe.6ed0000.7.raw.unpack, m8UGda8G4dfnrtBMk3S.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xAyJYkRpfS', 'snAJDPU5wk', 'tW7JlaZqrV', 'WRUJJoVZRE', 'wn9JglY4s9', 'LEdJxT8TFR', 'P6AJTEYT04'
Drops PE files
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe File created: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1765381766.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4127051817.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4yOuoT4GFy.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: StcHfDkbCv.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2800, type: MEMORYSTR
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StcHfDkbCv" /XML "C:\Users\user\AppData\Local\Temp\tmp1109.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 4yOuoT4GFy.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: StcHfDkbCv.exe PID: 8044, type: MEMORYSTR
Yara detected AsyncRAT
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1765381766.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4127051817.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4yOuoT4GFy.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: StcHfDkbCv.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2800, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 4yOuoT4GFy.exe, 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp, StcHfDkbCv.exe, 00000009.00000002.1765381766.0000000002812000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: 2570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: 23C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: 71D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: 81D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: 8370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: 9370000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1280000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Memory allocated: D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Memory allocated: 2770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Memory allocated: 2670000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Memory allocated: 6F70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Memory allocated: 7F70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Memory allocated: 8100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Memory allocated: 9100000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 15A0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2E00000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7038 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 518 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6506 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 566 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 1386 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 8469 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe TID: 7496 Thread sleep time: -119380s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe TID: 7496 Thread sleep time: -32009s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe TID: 7496 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe TID: 7512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828 Thread sleep count: 7038 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808 Thread sleep count: 518 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8004 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7988 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2852 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7416 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7484 Thread sleep count: 1386 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7484 Thread sleep count: 8469 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe TID: 8048 Thread sleep time: -119380s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe TID: 8048 Thread sleep time: -32009s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe TID: 8048 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe TID: 8184 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5960 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Thread delayed: delay time: 119380 Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Thread delayed: delay time: 32009 Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Thread delayed: delay time: 35000 Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Thread delayed: delay time: 119380 Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Thread delayed: delay time: 32009 Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Thread delayed: delay time: 35000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: MSBuild.exe, 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: 4yOuoT4GFy.exe, 00000000.00000002.1712612111.0000000000831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MSBuild.exe, 00000008.00000002.4132471756.0000000005172000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125969011.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4131685073.0000000005101000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000008.00000002.4131685073.0000000005101000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW)
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4yOuoT4GFy.exe"
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\StcHfDkbCv.exe"
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4yOuoT4GFy.exe" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\StcHfDkbCv.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4yOuoT4GFy.exe" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\StcHfDkbCv.exe" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StcHfDkbCv" /XML "C:\Users\user\AppData\Local\Temp\tmp1109.tmp" Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\StcHfDkbCv" /XML "C:\Users\user\AppData\Local\Temp\tmp25D9.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: MSBuild.exe, 00000008.00000002.4125242253.0000000000ED6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Users\user\Desktop\4yOuoT4GFy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Queries volume information: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\StcHfDkbCv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Users\user\Desktop\4yOuoT4GFy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2625000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.28226d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.StcHfDkbCv.exe.282e3b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.4yOuoT4GFy.exe.2630ce0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1766444123.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1720656894.0000000002612000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1765381766.0000000002812000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4127051817.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4yOuoT4GFy.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: StcHfDkbCv.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2800, type: MEMORYSTR
AV process strings found (often used to terminate AV products)
Source: MSBuild.exe, 00000008.00000002.4132471756.0000000005172000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.4125722504.0000000000F38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561650 Sample: 4yOuoT4GFy.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 44 skype.onthewifi.com 2->44 46 ronymahmoud.casacam.net 2->46 48 5 other IPs or domains 2->48 52 Multi AV Scanner detection for domain / URL 2->52 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 12 other signatures 2->58 8 4yOuoT4GFy.exe 7 2->8         started        12 StcHfDkbCv.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\StcHfDkbCv.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp1109.tmp, XML 8->40 dropped 42 C:\Users\user\AppData\...\4yOuoT4GFy.exe.log, ASCII 8->42 dropped 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 MSBuild.exe 2 8->19         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 24 schtasks.exe 12->24         started        26 MSBuild.exe 12->26         started        signatures6 process7 dnsIp8 68 Loading BitLocker PowerShell Module 14->68 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        50 ronymahmoud.casacam.net 3.145.156.44, 49737, 6606 AMAZON-02US United States 19->50 34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.145.156.44
 ronymahmoud.casacam.net United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
skype.onthewifi.com 0.0.0.0 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
ronymahmoud.casacam.net 3.145.156.44 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
skype.onthewifi.com true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
ronymahmoud.casacam.net true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown