Click to jump to signature section
Source: wcfForestCo.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: wcfForestCo.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Yara match | File source: wcfForestCo.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.wcfForestCo.exe.ef0000.0.unpack, type: UNPACKEDPE |
Source: wcfForestCo.exe | String found in binary or memory: http://checkip.amazonaws.com/)https://ipinfo.io/ip |
Source: wcfForestCo.exe | String found in binary or memory: https://api.ipify.org |
Source: wcfForestCo.exe | String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy |
Source: wcfForestCo.exe, 00000000.00000002.315547881.0000000001619000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: wcfForestCo.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: wcfForestCo.exe, 00000000.00000002.315547881.0000000001619000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs wcfForestCo.exe |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Code function: 0_2_030675D8 | 0_2_030675D8 |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Code function: 0_2_030675E8 | 0_2_030675E8 |
Source: C:\Users\user\Desktop\wcfForestCo.exe | File read: C:\Users\user\Desktop\wcfForestCo.exe:Zone.Identifier | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Code function: 0_2_03061250 StartServiceCtrlDispatcherW, | 0_2_03061250 |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Code function: 0_2_03061390 StartServiceCtrlDispatcherW, | 0_2_03061390 |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Code function: 0_2_03061398 StartServiceCtrlDispatcherW, | 0_2_03061398 |
Source: wcfForestCo.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: wcfForestCo.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% | |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Code function: 0_2_03061250 StartServiceCtrlDispatcherW, | 0_2_03061250 |
Source: unknown | Process created: C:\Users\user\Desktop\wcfForestCo.exe C:\Users\user\Desktop\wcfForestCo.exe |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_01 |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0 |
Source: C:\Users\user\Desktop\wcfForestCo.exe | File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wcfForestCo.exe.log | Jump to behavior |
Source: classification engine | Classification label: sus24.troj.winEXE@2/1@0/0 |
Source: wcfForestCo.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: wcfForestCo.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Code function: 0_2_03061250 StartServiceCtrlDispatcherW, | 0_2_03061250 |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe TID: 3140 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Queries volume information: C:\Users\user\Desktop\wcfForestCo.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\wcfForestCo.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |