Windows Analysis Report
171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe

Overview

General Information

Sample name: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe
Analysis ID: 1430137
MD5: 33c1151431af95ac887b7640a60b4627
SHA1: 5bd1a59b8f29628a23ba8a6ca2067646878d2b0d
SHA256: aa3fdf09f5e73e4a23580d387717148203f6c2d365ab64caffc109fcc7856ff5
Tags: base64-decodedexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected Telegram RAT
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Avira: detected
Found malware configuration
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/sendMessage?chat_id=6122547045"}
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.7268.0.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/sendMessage"}
Multi AV Scanner detection for submitted file
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe ReversingLabs: Detection: 60%
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Virustotal: Detection: 59% Perma Link
Machine Learning detection for sample
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49731 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc636d0b874038Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc63799ba39b3dHost: api.telegram.orgContent-Length: 3978Expect: 100-continue
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: unknown HTTP traffic detected: POST /bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc636d0b874038Host: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.0000000002462000.00000004.00000800.00020000.00000000.sdmp, 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.00000000023B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.0000000002331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe String found in binary or memory: https://account.dyn.com/
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe String found in binary or memory: https://api.ipify.org
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.0000000002331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.0000000002331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.0000000002462000.00000004.00000800.00020000.00000000.sdmp, 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.00000000023B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe String found in binary or memory: https://api.telegram.org/bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.0000000002462000.00000004.00000800.00020000.00000000.sdmp, 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4124807530.00000000023B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/sendDocument
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 7KG.cs .Net Code: N2tC

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, type: SAMPLE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_008A4178 0_2_008A4178
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_008AA939 0_2_008AA939
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_008A4A48 0_2_008A4A48
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_008A3E30 0_2_008A3E30
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05EF1B78 0_2_05EF1B78
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05EFF5F8 0_2_05EFF5F8
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05EF1F30 0_2_05EF1F30
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05EFDB54 0_2_05EFDB54
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F065D0 0_2_05F065D0
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F0576C 0_2_05F0576C
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F0C158 0_2_05F0C158
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F03038 0_2_05F03038
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F07D60 0_2_05F07D60
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F07680 0_2_05F07680
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F00040 0_2_05F00040
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F05CC3 0_2_05F05CC3
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F00038 0_2_05F00038
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_05F00006 0_2_05F00006
Sample file is different than original file name gathered from version info
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000000.1661656391.0000000000012000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename96652227-8189-45a1-9b08-86e45cc2c583.exe4 vs 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4121775120.00000000001E8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4122916734.000000000065E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Binary or memory string: OriginalFilename96652227-8189-45a1-9b08-86e45cc2c583.exe4 vs 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe
Uses 32bit PE files
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.10000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 1UT6pzc0M.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, DnQOD3M.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 01seU.cs Cryptographic APIs: 'CreateDecryptor'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, iUDwvr7Gz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, XUu2qKyuF6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, aZathEIgR.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, l50VLEll22.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, l50VLEll22.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.3
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Mutant created: NULL
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe ReversingLabs: Detection: 60%
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Virustotal: Detection: 59%
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_008A0B4D push edi; ret 0_2_008A0CC2
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Code function: 0_2_008A0C95 push edi; retf 0_2_008A0C3A
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Memory allocated: 870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Memory allocated: 2330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Memory allocated: 4330000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599718 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599609 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599500 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599390 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599281 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599172 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599062 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598951 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598514 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596515 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596406 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596187 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596075 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595620 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595513 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594593 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594484 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Window / User API: threadDelayed 1835 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Window / User API: threadDelayed 7987 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7396 Thread sleep count: 1835 > 30 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7396 Thread sleep count: 7987 > 30 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -599062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598951s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598514s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -597078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -596075s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595620s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595513s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -594921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -594593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe TID: 7368 Thread sleep time: -594484s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599718 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599609 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599500 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599390 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599281 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599172 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 599062 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598951 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598514 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597515 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596515 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596406 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596187 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 596075 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595620 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595513 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594593 Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Thread delayed: delay time: 594484 Jump to behavior
Source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, 00000000.00000002.4122916734.00000000006F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Queries volume information: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.0.171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4124807530.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4124807530.00000000023B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4124807530.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1661656391.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe PID: 7268, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4124807530.00000000023B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1661656391.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe PID: 7268, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4124807530.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1661656391.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe PID: 7268, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.0.171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4124807530.00000000023AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4124807530.00000000023B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4124807530.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1661656391.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe PID: 7268, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4124807530.00000000023B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1661656391.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exe PID: 7268, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    https://api.telegram.org/bot6957776389:AAGE3Y2I0YZ27F-41ZLwjxi6zM96chGzSyw/sendDocument false
      		high