Windows Analysis Report
54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe

Overview

General Information

Sample name: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Analysis ID: 1592541
MD5: 433d5cc92f9e4a787e197f04c977ca36
SHA1: b5e3ed631ababd71b3de12b44ce4a0669279f505
SHA256: eda2bf8423a8046d884b20532a74bed0ce7219a2ee5f9fe829a72624d081e3df
Tags: exeMassLoggeruser-lowmal3
Infos:

Detection

MassLogger RAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverche399@gpsamsterdamqroup.com", "Password": " j4YX(KT7UCZ1 ", "Server": "fiber13.dnsiaas.com", "To": "almightstephen@gmail.com", "Port": 587}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Virustotal: Detection: 33% Perma Link
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49740 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49813 version: TLS 1.0
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 0A395B87h 0_2_0A39530E
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 01509731h 7_2_01509480
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 01509E5Ah 7_2_01509A40
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 01509E5Ah 7_2_01509A30
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 01509E5Ah 7_2_01509D87
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE8830h 7_2_05CE8588
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE47C9h 7_2_05CE4520
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE76D0h 7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CEF700h 7_2_05CEF458
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE76D0h 7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CEE9F8h 7_2_05CEE750
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE5929h 7_2_05CE5680
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE83D8h 7_2_05CE8130
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CEF2A8h 7_2_05CEF000
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CEE5A0h 7_2_05CEE2F8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE54D1h 7_2_05CE5228
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE5079h 7_2_05CE4DD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE7F80h 7_2_05CE7CD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE7278h 7_2_05CE6FD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE4C21h 7_2_05CE4978
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE7B28h 7_2_05CE7880
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CEFB58h 7_2_05CEF8B0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CEEE50h 7_2_05CEEBA8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 4x nop then jmp 05CE5E15h 7_2_05CE5AD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 03194E8Fh 8_2_03194616
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 03099731h 13_2_03099480
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 03099E5Ah 13_2_03099A30
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 03099E5Ah 13_2_03099D87
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C68830h 13_2_05C68588
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C647C9h 13_2_05C64520
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C6F700h 13_2_05C6F458
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C676D0h 13_2_05C67428
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C6E9F8h 13_2_05C6E750
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C65929h 13_2_05C65680
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C6E5A0h 13_2_05C6E180
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C683D8h 13_2_05C68130
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C6F2A8h 13_2_05C6F000
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C654D1h 13_2_05C65228
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C65079h 13_2_05C64DD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C67F80h 13_2_05C67CD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C67278h 13_2_05C66FD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C64C21h 13_2_05C64978
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C67B28h 13_2_05C67880
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C6FB58h 13_2_05C6F8B0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C6EE50h 13_2_05C6EBA8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 4x nop then jmp 05C65E15h 13_2_05C65AD8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View IP Address: 104.21.64.1 104.21.64.1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49717 -> 132.226.8.169:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49740 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49813 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.comd
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.0000000003291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/d
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgd
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000315B000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000332B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000315B000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000332B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.orgd
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2171623456.00000000031D3000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2205049755.0000000003249000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.0000000003291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000313F000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000330E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, NoCGdFUXaoNd.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_015825B0 0_2_015825B0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01580870 0_2_01580870
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01581408 0_2_01581408
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_015834F0 0_2_015834F0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01589860 0_2_01589860
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01581C30 0_2_01581C30
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01584210 0_2_01584210
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01584200 0_2_01584200
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01584410 0_2_01584410
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01584400 0_2_01584400
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01584F50 0_2_01584F50
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01584F60 0_2_01584F60
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01581361 0_2_01581361
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01585250 0_2_01585250
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_015835D8 0_2_015835D8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_015835EF 0_2_015835EF
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01583442 0_2_01583442
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01583402 0_2_01583402
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01583715 0_2_01583715
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_015857F8 0_2_015857F8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_0158379C 0_2_0158379C
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01585659 0_2_01585659
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01585668 0_2_01585668
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01585808 0_2_01585808
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01585A18 0_2_01585A18
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_01585A09 0_2_01585A09
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF29A9 0_2_09EF29A9
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF7990 0_2_09EF7990
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF0AD0 0_2_09EF0AD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5A78 0_2_09EF5A78
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF1C90 0_2_09EF1C90
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF70E0 0_2_09EF70E0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF0040 0_2_09EF0040
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF6018 0_2_09EF6018
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF12D8 0_2_09EF12D8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5638 0_2_09EF5638
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF7980 0_2_09EF7980
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF3968 0_2_09EF3968
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF3959 0_2_09EF3959
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF6910 0_2_09EF6910
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF4BA8 0_2_09EF4BA8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF4B98 0_2_09EF4B98
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5A69 0_2_09EF5A69
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF4DC8 0_2_09EF4DC8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF4DB8 0_2_09EF4DB8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5CC0 0_2_09EF5CC0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5CB1 0_2_09EF5CB1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF1C81 0_2_09EF1C81
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF7F60 0_2_09EF7F60
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF7F70 0_2_09EF7F70
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EFF1B8 0_2_09EFF1B8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF70D0 0_2_09EF70D0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5040 0_2_09EF5040
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF0021 0_2_09EF0021
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5030 0_2_09EF5030
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF6008 0_2_09EF6008
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF12C9 0_2_09EF12C9
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF4508 0_2_09EF4508
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF4518 0_2_09EF4518
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF6460 0_2_09EF6460
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF6451 0_2_09EF6451
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF1720 0_2_09EF1720
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF1711 0_2_09EF1711
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF5629 0_2_09EF5629
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_0A3902A0 0_2_0A3902A0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_0A390B10 0_2_0A390B10
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_0A390B00 0_2_0A390B00
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_0A3906D8 0_2_0A3906D8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_0A3D6BDC 0_2_0A3D6BDC
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_0A3D90E8 0_2_0A3D90E8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_0150C530 7_2_0150C530
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_01502DD1 7_2_01502DD1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_01509480 7_2_01509480
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_015019B8 7_2_015019B8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_0150C521 7_2_0150C521
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_0150946F 7_2_0150946F
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE6138 7_2_05CE6138
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEBC60 7_2_05CEBC60
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEAF00 7_2_05CEAF00
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE89E0 7_2_05CE89E0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE8588 7_2_05CE8588
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE8579 7_2_05CE8579
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE450F 7_2_05CE450F
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE4520 7_2_05CE4520
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE7428 7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEF458 7_2_05CEF458
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEF455 7_2_05CEF455
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE741B 7_2_05CE741B
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE7428 7_2_05CE7428
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEE740 7_2_05CEE740
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEE750 7_2_05CEE750
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE5680 7_2_05CE5680
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE566F 7_2_05CE566F
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE612B 7_2_05CE612B
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE8120 7_2_05CE8120
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE8130 7_2_05CE8130
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEF000 7_2_05CEF000
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE13A8 7_2_05CE13A8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE0320 7_2_05CE0320
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE0330 7_2_05CE0330
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEE2F8 7_2_05CEE2F8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEE2F5 7_2_05CEE2F5
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE521B 7_2_05CE521B
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE5228 7_2_05CE5228
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE4DC0 7_2_05CE4DC0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE4DD0 7_2_05CE4DD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE7CC8 7_2_05CE7CC8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE0CD8 7_2_05CE0CD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE7CD8 7_2_05CE7CD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE6FC3 7_2_05CE6FC3
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE6FD0 7_2_05CE6FD0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEEFFD 7_2_05CEEFFD
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE4969 7_2_05CE4969
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE4978 7_2_05CE4978
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE7880 7_2_05CE7880
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEF8A1 7_2_05CEF8A1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEF8B0 7_2_05CEF8B0
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE7871 7_2_05CE7871
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEEB98 7_2_05CEEB98
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CEEBA8 7_2_05CEEBA8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE5ACA 7_2_05CE5ACA
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE5AD8 7_2_05CE5AD8
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 7_2_05CE0AB8 7_2_05CE0AB8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_030325B0 8_2_030325B0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03030870 8_2_03030870
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03031408 8_2_03031408
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_030334F0 8_2_030334F0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03039860 8_2_03039860
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03031C30 8_2_03031C30
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03034200 8_2_03034200
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03034210 8_2_03034210
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03034400 8_2_03034400
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03034410 8_2_03034410
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03034F50 8_2_03034F50
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03034F60 8_2_03034F60
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03031361 8_2_03031361
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03033393 8_2_03033393
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_030333B6 8_2_030333B6
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_030333F0 8_2_030333F0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03035250 8_2_03035250
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03033715 8_2_03033715
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0303379C 8_2_0303379C
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_030357F8 8_2_030357F8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03035659 8_2_03035659
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03035668 8_2_03035668
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_030335D8 8_2_030335D8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_030335EF 8_2_030335EF
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03035A09 8_2_03035A09
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03035A18 8_2_03035A18
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03035808 8_2_03035808
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03196500 8_2_03196500
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_031908F8 8_2_031908F8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_031908E8 8_2_031908E8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_03190D30 8_2_03190D30
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_031904C0 8_2_031904C0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_08896BDC 8_2_08896BDC
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_088990F3 8_2_088990F3
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B487B10 8_2_0B487B10
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B485BF8 8_2_0B485BF8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B480AD0 8_2_0B480AD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B481C90 8_2_0B481C90
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B487260 8_2_0B487260
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4812D8 8_2_0B4812D8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B486198 8_2_0B486198
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B480040 8_2_0B480040
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4857B8 8_2_0B4857B8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B487B00 8_2_0B487B00
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B485BE9 8_2_0B485BE9
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B484B98 8_2_0B484B98
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B484BA8 8_2_0B484BA8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B486A91 8_2_0B486A91
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B483959 8_2_0B483959
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B483968 8_2_0B483968
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B485E40 8_2_0B485E40
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B485E31 8_2_0B485E31
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B48EEF3 8_2_0B48EEF3
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B48BE90 8_2_0B48BE90
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B484DC8 8_2_0B484DC8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B484DB8 8_2_0B484DB8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B481C81 8_2_0B481C81
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B48F338 8_2_0B48F338
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B487250 8_2_0B487250
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4812C9 8_2_0B4812C9
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B486188 8_2_0B486188
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B485040 8_2_0B485040
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B480006 8_2_0B480006
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B485030 8_2_0B485030
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4880E2 8_2_0B4880E2
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4880F0 8_2_0B4880F0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B481719 8_2_0B481719
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B481720 8_2_0B481720
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4857A8 8_2_0B4857A8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B484508 8_2_0B484508
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B484518 8_2_0B484518
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4865D0 8_2_0B4865D0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B4865E0 8_2_0B4865E0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_030927B9 13_2_030927B9
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_0309C530 13_2_0309C530
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_03092DD1 13_2_03092DD1
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_03099480 13_2_03099480
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_0309C521 13_2_0309C521
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_0309946F 13_2_0309946F
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C66138 13_2_05C66138
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6BC60 13_2_05C6BC60
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6AF00 13_2_05C6AF00
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C689E0 13_2_05C689E0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C68588 13_2_05C68588
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C68579 13_2_05C68579
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6450F 13_2_05C6450F
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C64520 13_2_05C64520
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6F448 13_2_05C6F448
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6F458 13_2_05C6F458
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C67418 13_2_05C67418
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C67428 13_2_05C67428
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6E740 13_2_05C6E740
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6E750 13_2_05C6E750
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C65680 13_2_05C65680
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6566F 13_2_05C6566F
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6E180 13_2_05C6E180
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C68120 13_2_05C68120
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C68130 13_2_05C68130
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6F000 13_2_05C6F000
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6602A 13_2_05C6602A
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6032B 13_2_05C6032B
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C60330 13_2_05C60330
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6521A 13_2_05C6521A
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C65228 13_2_05C65228
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C64DC0 13_2_05C64DC0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C64DD0 13_2_05C64DD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C67CC8 13_2_05C67CC8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C60CD8 13_2_05C60CD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C67CD8 13_2_05C67CD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C66FC3 13_2_05C66FC3
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C66FD0 13_2_05C66FD0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6EFF0 13_2_05C6EFF0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C689D0 13_2_05C689D0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C64969 13_2_05C64969
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C64978 13_2_05C64978
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C67880 13_2_05C67880
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6F8A1 13_2_05C6F8A1
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6F8B0 13_2_05C6F8B0
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C67871 13_2_05C67871
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6EB98 13_2_05C6EB98
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C6EBA8 13_2_05C6EBA8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C65ACA 13_2_05C65ACA
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C65AD8 13_2_05C65AD8
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_05C60AB8 13_2_05C60AB8
PE / OLE file has an invalid certificate
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2178629864.0000000008720000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCaptive.dll" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCaptive.dll" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2179699202.000000000EA10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000000.2126156560.0000000000D52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDzXb.exe" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2171623456.00000000031D3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2169401089.000000000123E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3393764269.00000000012F7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Binary or memory string: OriginalFilenameDzXb.exe" vs 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe
Uses 32bit PE files
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NoCGdFUXaoNd.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/11@2/2
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe File created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Mutant created: \Sessions\1\BaseNamedObjects\QzAmJJy
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4420:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe File created: C:\Users\user\AppData\Local\Temp\tmp70BF.tmp Jump to behavior
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.000000000319F000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3397468149.00000000040ED000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031BD000.00000004.00000800.00020000.00000000.sdmp, 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3395787831.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000336E000.00000004.00000800.00020000.00000000.sdmp, NoCGdFUXaoNd.exe, 0000000D.00000002.3396422686.000000000338C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Virustotal: Detection: 33%
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe File read: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp" Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Code function: 0_2_09EF036B push ecx; ret 0_2_09EF036C
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_08898C88 pushfd ; retf 0007h 8_2_08898C89
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_08890488 push 5007CA97h; ret 8_2_0889048D
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 8_2_0B48036B push ecx; ret 8_2_0B48036C
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_0309B3A8 push eax; iretd 13_2_0309B445
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Code function: 13_2_0309BB22 push 00000005h; iretd 13_2_0309BB44
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Static PE information: section name: .text entropy: 7.4325084092117395
Source: NoCGdFUXaoNd.exe.0.dr Static PE information: section name: .text entropy: 7.4325084092117395
Drops PE files
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe File created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 1580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 3160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 5160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 5740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 6740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 6870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 7870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: B810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 9F00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: C810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: D810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: EA70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: FA70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 10A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 1500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: 50C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 3030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 3240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 3190000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 5830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 6830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 6960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 7960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: B490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: C490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: C920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 6960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: B490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: C920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 1700000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 3290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory allocated: 1700000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7410 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2146 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe TID: 4196 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1372 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe TID: 6524 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe, 00000007.00000002.3394727391.0000000001547000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: NoCGdFUXaoNd.exe, 0000000D.00000002.3393823248.00000000011F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe"
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Memory written: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Memory written: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp70BF.tmp" Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Process created: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe "C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCGdFUXaoNd" /XML "C:\Users\user\AppData\Local\Temp\tmp7C49.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Process created: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe "C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NoCGdFUXaoNd.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.3396422686.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3395787831.00000000031E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.4b8ed20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.NoCGdFUXaoNd.exe.4245570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe.49b4148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2206223221.000000000439F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3393494273.000000000040F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2206223221.0000000004241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2172358737.00000000049B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 4924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe PID: 2620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: NoCGdFUXaoNd.exe PID: 5140, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592541 Sample: 54403 ADVANCED DEMURRAGE PR... Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 48 reallyfreegeoip.org 2->48 50 checkip.dyndns.org 2->50 52 checkip.dyndns.com 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 62 9 other signatures 2->62 8 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe 7 2->8         started        12 NoCGdFUXaoNd.exe 5 2->12         started        signatures3 60 Tries to detect the country of the analysis system (by using the IP) 48->60 process4 file5 36 C:\Users\user\AppData\...36oCGdFUXaoNd.exe, PE32 8->36 dropped 38 C:\Users\...38oCGdFUXaoNd.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp70BF.tmp, XML 8->40 dropped 42 54403 ADVANCED DEM...01.2025.scr.exe.log, ASCII 8->42 dropped 64 Adds a directory exclusion to Windows Defender 8->64 66 Injects a PE file into a foreign processes 8->66 14 powershell.exe 23 8->14         started        17 54403 ADVANCED DEMURRAGE PROFORMA 15.01.2025.scr.exe 15 2 8->17         started        20 schtasks.exe 1 8->20         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 22 NoCGdFUXaoNd.exe 14 2 12->22         started        24 schtasks.exe 1 12->24         started        26 NoCGdFUXaoNd.exe 12->26         started        signatures6 process7 dnsIp8 72 Loading BitLocker PowerShell Module 14->72 28 WmiPrvSE.exe 14->28         started        30 conhost.exe 14->30         started        44 checkip.dyndns.com 132.226.8.169, 49713, 49717, 80 UTMEMUS United States 17->44 46 reallyfreegeoip.org 104.21.64.1, 443, 49740, 49813 CLOUDFLARENETUS United States 17->46 32 conhost.exe 20->32         started        74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 34 conhost.exe 24->34         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
104.21.64.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.64.1 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
    		high
    https://reallyfreegeoip.org/xml/8.46.123.189 false
      		high