Windows Analysis Report
jW8UOYF1dk0W6Wm.exe

Overview

General Information

Sample name: jW8UOYF1dk0W6Wm.exe
Analysis ID: 1436596
MD5: 4e83799cacdf643392ef05759f5ddbed
SHA1: 448e53684de7e39aecc362d814e0650c30b51f9e
SHA256: 7e8466ab7fd0c3ce3f6ef1df5bffa0e4fb0c9764b3c553685ca62e3d8fbb80ad
Tags: exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.metalsbox.com", "Username": "nasser@metalsbox.com", "Password": "zxcA@@258963"}
Multi AV Scanner detection for submitted file
Source: jW8UOYF1dk0W6Wm.exe ReversingLabs: Detection: 18%
Source: jW8UOYF1dk0W6Wm.exe Virustotal: Detection: 30% Perma Link
Machine Learning detection for sample
Source: jW8UOYF1dk0W6Wm.exe Joe Sandbox ML: detected
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Uses 32bit PE files
Source: jW8UOYF1dk0W6Wm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: jW8UOYF1dk0W6Wm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RIZe.pdb source: jW8UOYF1dk0W6Wm.exe
Source: Binary string: RIZe.pdbSHA256T source: jW8UOYF1dk0W6Wm.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49735 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49735 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49735 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49735 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49735 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49735 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49760 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49760 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49760 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49760 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49760 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49761 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49761 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49761 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49761 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49761 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49764 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49764 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49764 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49764 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49765 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49765 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49765 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49765 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49765 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49766 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49766 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49766 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49766 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49766 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49775 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49775 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49775 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49775 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49775 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49778 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49778 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49778 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49778 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49778 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49779 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49779 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49779 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49779 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49779 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49780 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49780 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49780 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49780 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49780 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49781 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49781 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49781 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49781 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49781 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49785 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49785 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49785 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49785 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49785 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49786 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49786 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49786 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49786 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49786 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49787 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49787 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49787 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49787 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49787 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49789 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49789 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49789 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49789 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49789 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49790 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49790 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49790 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49790 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49790 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49792 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49792 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49792 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49792 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49792 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49793 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49793 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49793 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49793 -> 192.185.166.221:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49793 -> 192.185.166.221:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.166.221 192.185.166.221
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=GzraRp+pUd391VH&MD=xPxD8VgT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=GzraRp+pUd391VH&MD=xPxD8VgT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=kSwAC5cYeQdvlb-Djju1AmS4FlGf4T-ylFFoy_Wyi1fnuec4Tthykd9rW_PsbASY-er6_CjgqTp2nCbZx7UF7VwYFg4XH-7wJ2_SUMYfeCVVFdJK0IY0Zhk42Ia-IwUXN_LWenCcwUQUHMlpEPoU-M3qcKXvgbhaOXA1wrZn1G4
Source: global traffic DNS traffic detected: DNS query: mail.metalsbox.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: ogs.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 785sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: text/plain;charset=UTF-8X-Goog-AuthUser: 0sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ogs.google.comX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ogs.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=cTsIuf4gfVvY9p93m_2E0TRlKqvxSCZt2Ymc5-jBMZvr5XOro5-fRm6K62lyLBSkEHOCOSfpOeVRdeDENBxN4ePgvfk01VYMzGA-vO68vanHDOh6CM7FR1IArKuC6x7MDcQHO5DwEZKPFzIlQkbj9etlXkMRgnpgxuvLNK9qVP8
Source: jW8UOYF1dk0W6Wm.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: jW8UOYF1dk0W6Wm.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000003026000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002C69000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002E35000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002CF0000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.metalsbox.com
Source: jW8UOYF1dk0W6Wm.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: chromecache_68.4.dr String found in binary or memory: http://www.broofa.com
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631875838.0000000005B30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com(.
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1631978045.0000000007362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1630917508.0000000004693000.00000004.00000800.00020000.00000000.sdmp, jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4075644610.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: chromecache_81.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_81.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_68.4.dr, chromecache_81.4.dr String found in binary or memory: https://apis.google.com
Source: chromecache_72.4.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_81.4.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_81.4.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_81.4.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_81.4.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_68.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_68.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_68.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_68.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_83.4.dr String found in binary or memory: https://ogs.google.com/
Source: chromecache_83.4.dr String found in binary or memory: https://ogs.google.com/widget/app/so
Source: chromecache_67.4.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_81.4.dr String found in binary or memory: https://plus.google.com
Source: chromecache_81.4.dr String found in binary or memory: https://plus.googleapis.com
Source: chromecache_83.4.dr String found in binary or memory: https://ssl.gstatic.com
Source: chromecache_72.4.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_81.4.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: jW8UOYF1dk0W6Wm.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: chromecache_72.4.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_81.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_81.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_83.4.dr String found in binary or memory: https://www.gstatic.com
Source: chromecache_83.4.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.
Source: chromecache_68.4.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_68.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_68.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49757 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, lBLTBzkV.cs .Net Code: _4TudthV
Source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.raw.unpack, lBLTBzkV.cs .Net Code: _4TudthV
Installs a global keyboard hook
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.jW8UOYF1dk0W6Wm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_0156E47C 0_2_0156E47C
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_078DAB60 0_2_078DAB60
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_078D6A00 0_2_078D6A00
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_078DC190 0_2_078DC190
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_078D0040 0_2_078D0040
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07A32680 0_2_07A32680
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CC2370 0_2_07CC2370
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CCEE19 0_2_07CCEE19
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CCEE28 0_2_07CCEE28
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CC9D85 0_2_07CC9D85
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CCCDA8 0_2_07CCCDA8
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CC9DA0 0_2_07CC9DA0
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CCD1F0 0_2_07CCD1F0
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CCE9F0 0_2_07CCE9F0
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CCF828 0_2_07CCF828
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_029D4308 2_2_029D4308
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_029D94B8 2_2_029D94B8
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_029D4BD8 2_2_029D4BD8
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_029D3FC0 2_2_029D3FC0
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_029D9C70 2_2_029D9C70
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_029DD2A8 2_2_029DD2A8
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_061556D0 2_2_061556D0
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06152EF0 2_2_06152EF0
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06153F48 2_2_06153F48
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_0615BD18 2_2_0615BD18
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06159AE8 2_2_06159AE8
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06158B77 2_2_06158B77
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06150040 2_2_06150040
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06153648 2_2_06153648
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06154FF0 2_2_06154FF0
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06291128 2_2_06291128
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_06291122 2_2_06291122
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_029DD2A6 2_2_029DD2A6
PE / OLE file has an invalid certificate
Source: jW8UOYF1dk0W6Wm.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1633389749.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs jW8UOYF1dk0W6Wm.exe
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1628562870.000000000157E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs jW8UOYF1dk0W6Wm.exe
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1629653116.00000000034A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename43bc4211-45f7-4cca-9adb-3822a3e2d536.exe4 vs jW8UOYF1dk0W6Wm.exe
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1630917508.0000000004693000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename43bc4211-45f7-4cca-9adb-3822a3e2d536.exe4 vs jW8UOYF1dk0W6Wm.exe
Source: jW8UOYF1dk0W6Wm.exe, 00000000.00000002.1630917508.0000000004693000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs jW8UOYF1dk0W6Wm.exe
Source: jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4075856703.0000000000B69000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs jW8UOYF1dk0W6Wm.exe
Source: jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4075644610.000000000043E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename43bc4211-45f7-4cca-9adb-3822a3e2d536.exe4 vs jW8UOYF1dk0W6Wm.exe
Source: jW8UOYF1dk0W6Wm.exe Binary or memory string: OriginalFilenameRIZe.exeX vs jW8UOYF1dk0W6Wm.exe
Uses 32bit PE files
Source: jW8UOYF1dk0W6Wm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.jW8UOYF1dk0W6Wm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: jW8UOYF1dk0W6Wm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.jW8UOYF1dk0W6Wm.exe.44a9970.6.raw.unpack, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.44a9970.6.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.44a9970.6.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, kGWv.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, 84Zwl.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, Z80kh.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, R7VqEELv.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vQXyasrWBFPBxkVKfp.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vQXyasrWBFPBxkVKfp.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vachs6lEjSiNgOyon2.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vachs6lEjSiNgOyon2.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vachs6lEjSiNgOyon2.cs Security API names: _0020.AddAccessRule
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vachs6lEjSiNgOyon2.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vachs6lEjSiNgOyon2.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vachs6lEjSiNgOyon2.cs Security API names: _0020.AddAccessRule
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vQXyasrWBFPBxkVKfp.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vQXyasrWBFPBxkVKfp.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/33@11/8
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jW8UOYF1dk0W6Wm.exe.log Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Mutant created: NULL
Source: jW8UOYF1dk0W6Wm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jW8UOYF1dk0W6Wm.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jW8UOYF1dk0W6Wm.exe ReversingLabs: Detection: 18%
Source: jW8UOYF1dk0W6Wm.exe Virustotal: Detection: 30%
Source: unknown Process created: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe "C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe"
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process created: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe "C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2012,i,6736296510162143224,1551074681969266580,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process created: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe "C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2012,i,6736296510162143224,1551074681969266580,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: jW8UOYF1dk0W6Wm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: jW8UOYF1dk0W6Wm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: jW8UOYF1dk0W6Wm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: RIZe.pdb source: jW8UOYF1dk0W6Wm.exe
Source: Binary string: RIZe.pdbSHA256T source: jW8UOYF1dk0W6Wm.exe

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.jW8UOYF1dk0W6Wm.exe.34ef688.3.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
.NET source code contains potential unpacker
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vachs6lEjSiNgOyon2.cs .Net Code: k9v5ZFyrWD System.Reflection.Assembly.Load(byte[])
Source: 0.2.jW8UOYF1dk0W6Wm.exe.44a9970.6.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vachs6lEjSiNgOyon2.cs .Net Code: k9v5ZFyrWD System.Reflection.Assembly.Load(byte[])
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7e10000.11.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_034796C0 push eax; mov dword ptr [esp], ecx 0_2_034796C4
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_034796B0 push eax; mov dword ptr [esp], ecx 0_2_034796C4
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 0_2_07CC9100 push ds; ret 0_2_07CC910F
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Code function: 2_2_061560E5 push ebp; iretd 2_2_061560E8
Source: jW8UOYF1dk0W6Wm.exe Static PE information: section name: .text entropy: 7.962374863479765
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vQXyasrWBFPBxkVKfp.cs High entropy of concatenated method names: 'KyZqVnbCRY', 'MENqyInocb', 'Pikqs2xUSE', 'su7qn6UW0C', 'iJgq21lNpF', 'QHHqRMf9tk', 'itcqJ2icmO', 'w9iqQPAqKo', 'KdeqY4hlVf', 'Mx3qiP8Zs1'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, PkfSuu4bPWawIfDjSas.cs High entropy of concatenated method names: 'M8hPpVyI8J', 'f9RPEXReSA', 'aEXPZp9CKA', 'UbMPOkld5C', 'pTmPg3iBko', 'HxZPNdMcnw', 'OiOPrs5vRT', 'FGjP4g8Lhe', 'EGKPk2Id5R', 'YcZPvuVwdo'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, suS2IsQgrnY8lYA9UV.cs High entropy of concatenated method names: 'JTlAOa00pB', 'y36ANW25KX', 'o1xA4dLQfq', 'iAeAk02xmQ', 'DvtA9tDoCQ', 'qxwAUbZUxV', 'cUbAdcRryV', 'RhFActy2qk', 'EpfAPoR0IN', 'PDqADj8GWy'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, gT6fByy7h0ZxSvA2nP.cs High entropy of concatenated method names: 'eYHdWrG3l5', 'bNIdSOYXmd', 'ToString', 'YC6dBteHb5', 'AaidqHiVSP', 'JOwdA08WlL', 'uG3d1r43C3', 'zJZdGLN911', 'D6JdMOxh9V', 'dmpd3UFXqm'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, gH8GwrBvFdVVUeo2Ot.cs High entropy of concatenated method names: 'NQPPmPB4iJ', 'vIXPFSRP2v', 'C9EP5MIBry', 'I42PB5VEF0', 'FkWPqhxXs8', 'EWMP1bsJH2', 'xtgPGHt8p9', 'SulcJocnIT', 'DBEcQ9MPri', 'yDxcYtH0SZ'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, zxnOyshotVLC7OvZ9S.cs High entropy of concatenated method names: 'UnYGsANDxN', 'qyNGnDyJDJ', 'vt0G2osK45', 'ToString', 'CtCGRVXf44', 'Y3mGJnAlH1', 'pP3LVZITNrHt22eDjhU', 'jAFgtjI6d2Z00L3wwvQ', 'cOgRNbIpo8XEOYqyV9S'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, tmkUDoVayS8i8NgVie.cs High entropy of concatenated method names: 'f2QMBxCiSb', 'UQbMA4rHir', 'b53MGeRJBs', 'hSjGirSbij', 'oqbGzLtQXm', 'EkNMoo7HEX', 'epfMmm3BNp', 'toPMaNLu7W', 'hUCMF1E7bO', 'UeTM5fGE9L'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vwuJLq4Uy9OGewGX3cx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nVxDV04Sah', 'b58DyPoG8c', 'IPNDswldhC', 's2kDnx2Vow', 'ubKD2tVScQ', 'HN6DRGdGHS', 'l6BDJ1wKWv'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, iPcVGb0X394111n8n4.cs High entropy of concatenated method names: 'oI31g2SM95', 'h9r1rPnV4t', 'CJlAjjZnUw', 'k6kAtClmYQ', 'CtqAIEKoUe', 'FD5A7F7Kdv', 'FTAAKN4u7C', 'TKKAHsMDmi', 'lmGAluoTho', 'cr8AuJrTjN'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, fLwNNmZ9eIIdJoEOcU.cs High entropy of concatenated method names: 'wvbMphn6ei', 'X8RMEhajFi', 'UddMZTs6cI', 'IviMOmlM0t', 'FEUMgQQJNx', 'oGLMNXttSt', 'LyaMrAdASo', 'YWkM4mLcmC', 'QVIMka7wev', 'j02MvigLqZ'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, RGe8eyiDv7JW3R6scq.cs High entropy of concatenated method names: 'KTHmMOBJqa', 'Nmum3To8Zo', 'qZWmWNZPHv', 'POEmSboXAe', 'mSqm9HWTdt', 'fdLmUCqUIt', 'fX5gxkCcAn2IS0NKOm', 'iUKCfJiqNwRjfYMpyk', 'Gdimm7Jr3e', 'T9omFsMxln'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, ENd4HaES1pDPAWcZQ9.cs High entropy of concatenated method names: 'LQsGwSL1R7', 'ws0Gp4dnG8', 'ViiGZMCPWq', 'xwjGOSSRsB', 'M60GNSgHHX', 'x6qGrEfxH2', 'DVTGkltvIn', 'FZyGvDgjkW', 'J5hDR8IFPKa21FmZ722', 'hFsR4EIyl32O0u3CrDU'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, EN5WTq865Usn2OuxgM.cs High entropy of concatenated method names: 'RSVcbatjdd', 'mQlcepn4hx', 'TU5cjLiDVx', 'PEgct1eOMT', 'B2ycVXOTeS', 'G5ncIQNuQ5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, v3tAwV2SGrLC7hM0Bt.cs High entropy of concatenated method names: 'qEsG0Clrlx', 'N4bGqAcCHl', 'zuxG1d2v6m', 'oeZGMWDixp', 'yghG3TwPj7', 'px112xxw9M', 'Gpt1RYAls2', 'Qjg1J94fEt', 'A3D1QIPPwj', 's1n1Y8VLOp'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, ToLbMo9a8oiNUeFH1w.cs High entropy of concatenated method names: 'RlYdQErUeu', 'cW3dimgfaM', 'fmFcoBbXBa', 'gW0cmqC3Yq', 'oiMdxbDK4R', 'I70dL7QRy5', 'livd6Xt0nX', 'cZ9dVqF8xr', 'i1MdyALSyb', 'RthdsYrYC3'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, sTmaNauvyiuEKRccFe.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ueuaYbNOpf', 'Qu0aiyTHLO', 'JAJaz0ym4A', 'WHBFoDTPWP', 'FtLFmIRNkH', 'mImFa0LoR1', 'tTkFFSNunI', 'AkJqEk2IUoIMqwPUbcM'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, JcJmk2oAYscblvokca.cs High entropy of concatenated method names: 'NnmZJnqn3', 'KvVOPcUUH', 'FSpNWAnuM', 'watrg9fR0', 'IVxkS4svl', 'qjmvdF0kU', 'lKjkNS3SnIiV1wwClS', 'GNeKvI4tjPa3FKFyE3', 'p4Hc06AWm', 'VbIDXeZGI'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, gUSAZDaJl2muiN3t7p.cs High entropy of concatenated method names: 'Dispose', 'LO1mYJmqXg', 'hLJaeXtqfc', 'WP2XXRpXM3', 'lJkmi26hqm', 'B56mztFmB9', 'ProcessDialogKey', 'VHbaoK8O4g', 'w1hamgaTtv', 'QQAaa4Q5MS'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, IM45ClFxZR46VVVerm.cs High entropy of concatenated method names: 'UZ4T4VGW0X', 'evlTk6JOfj', 'z9cTb7c25y', 'EeSTeE9YDF', 'Y7aTtwdMAH', 'P6OTIpJsYt', 'LTTTKvKRdZ', 'fcdTHG9YBX', 'm09TuCPwCV', 'SAXTxWRGis'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, FWElWKKW1m7suF4ggf.cs High entropy of concatenated method names: 'LTTcBE1oF4', 'UGKcqAHd65', 'v0bcAVHBDf', 'Jubc1pxyDv', 'EuCcGgLvIL', 'FkkcMrjqmu', 'e0wc3UY86y', 'UJCchrqYmx', 'cORcWZou1g', 'vA3cS7wfag'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, NEnjn21FUqRGdPMJIM.cs High entropy of concatenated method names: 'C1m9usHKD0', 'Bpt9LYkRwE', 'hms9Vqi4ex', 'XBF9yi6muE', 'Qi69eEZbTx', 'aNc9jKXgkf', 'pxd9tnYboq', 'LjL9IlIGwF', 'OpA97E2NLU', 'VwP9KHr3eA'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7aa0000.10.raw.unpack, vachs6lEjSiNgOyon2.cs High entropy of concatenated method names: 'ejDF0vtN4v', 'I5ZFBB69ma', 'SYYFqVXy1Z', 'prvFA7au40', 'KIbF13SXSs', 'MLbFGXqQ0d', 'OB3FM5vs6D', 'g9CF3A08Hl', 'rSNFhlUCeE', 'k8IFWX1jod'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vQXyasrWBFPBxkVKfp.cs High entropy of concatenated method names: 'KyZqVnbCRY', 'MENqyInocb', 'Pikqs2xUSE', 'su7qn6UW0C', 'iJgq21lNpF', 'QHHqRMf9tk', 'itcqJ2icmO', 'w9iqQPAqKo', 'KdeqY4hlVf', 'Mx3qiP8Zs1'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, PkfSuu4bPWawIfDjSas.cs High entropy of concatenated method names: 'M8hPpVyI8J', 'f9RPEXReSA', 'aEXPZp9CKA', 'UbMPOkld5C', 'pTmPg3iBko', 'HxZPNdMcnw', 'OiOPrs5vRT', 'FGjP4g8Lhe', 'EGKPk2Id5R', 'YcZPvuVwdo'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, suS2IsQgrnY8lYA9UV.cs High entropy of concatenated method names: 'JTlAOa00pB', 'y36ANW25KX', 'o1xA4dLQfq', 'iAeAk02xmQ', 'DvtA9tDoCQ', 'qxwAUbZUxV', 'cUbAdcRryV', 'RhFActy2qk', 'EpfAPoR0IN', 'PDqADj8GWy'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, gT6fByy7h0ZxSvA2nP.cs High entropy of concatenated method names: 'eYHdWrG3l5', 'bNIdSOYXmd', 'ToString', 'YC6dBteHb5', 'AaidqHiVSP', 'JOwdA08WlL', 'uG3d1r43C3', 'zJZdGLN911', 'D6JdMOxh9V', 'dmpd3UFXqm'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, gH8GwrBvFdVVUeo2Ot.cs High entropy of concatenated method names: 'NQPPmPB4iJ', 'vIXPFSRP2v', 'C9EP5MIBry', 'I42PB5VEF0', 'FkWPqhxXs8', 'EWMP1bsJH2', 'xtgPGHt8p9', 'SulcJocnIT', 'DBEcQ9MPri', 'yDxcYtH0SZ'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, zxnOyshotVLC7OvZ9S.cs High entropy of concatenated method names: 'UnYGsANDxN', 'qyNGnDyJDJ', 'vt0G2osK45', 'ToString', 'CtCGRVXf44', 'Y3mGJnAlH1', 'pP3LVZITNrHt22eDjhU', 'jAFgtjI6d2Z00L3wwvQ', 'cOgRNbIpo8XEOYqyV9S'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, tmkUDoVayS8i8NgVie.cs High entropy of concatenated method names: 'f2QMBxCiSb', 'UQbMA4rHir', 'b53MGeRJBs', 'hSjGirSbij', 'oqbGzLtQXm', 'EkNMoo7HEX', 'epfMmm3BNp', 'toPMaNLu7W', 'hUCMF1E7bO', 'UeTM5fGE9L'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vwuJLq4Uy9OGewGX3cx.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nVxDV04Sah', 'b58DyPoG8c', 'IPNDswldhC', 's2kDnx2Vow', 'ubKD2tVScQ', 'HN6DRGdGHS', 'l6BDJ1wKWv'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, iPcVGb0X394111n8n4.cs High entropy of concatenated method names: 'oI31g2SM95', 'h9r1rPnV4t', 'CJlAjjZnUw', 'k6kAtClmYQ', 'CtqAIEKoUe', 'FD5A7F7Kdv', 'FTAAKN4u7C', 'TKKAHsMDmi', 'lmGAluoTho', 'cr8AuJrTjN'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, fLwNNmZ9eIIdJoEOcU.cs High entropy of concatenated method names: 'wvbMphn6ei', 'X8RMEhajFi', 'UddMZTs6cI', 'IviMOmlM0t', 'FEUMgQQJNx', 'oGLMNXttSt', 'LyaMrAdASo', 'YWkM4mLcmC', 'QVIMka7wev', 'j02MvigLqZ'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, RGe8eyiDv7JW3R6scq.cs High entropy of concatenated method names: 'KTHmMOBJqa', 'Nmum3To8Zo', 'qZWmWNZPHv', 'POEmSboXAe', 'mSqm9HWTdt', 'fdLmUCqUIt', 'fX5gxkCcAn2IS0NKOm', 'iUKCfJiqNwRjfYMpyk', 'Gdimm7Jr3e', 'T9omFsMxln'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, ENd4HaES1pDPAWcZQ9.cs High entropy of concatenated method names: 'LQsGwSL1R7', 'ws0Gp4dnG8', 'ViiGZMCPWq', 'xwjGOSSRsB', 'M60GNSgHHX', 'x6qGrEfxH2', 'DVTGkltvIn', 'FZyGvDgjkW', 'J5hDR8IFPKa21FmZ722', 'hFsR4EIyl32O0u3CrDU'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, EN5WTq865Usn2OuxgM.cs High entropy of concatenated method names: 'RSVcbatjdd', 'mQlcepn4hx', 'TU5cjLiDVx', 'PEgct1eOMT', 'B2ycVXOTeS', 'G5ncIQNuQ5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, v3tAwV2SGrLC7hM0Bt.cs High entropy of concatenated method names: 'qEsG0Clrlx', 'N4bGqAcCHl', 'zuxG1d2v6m', 'oeZGMWDixp', 'yghG3TwPj7', 'px112xxw9M', 'Gpt1RYAls2', 'Qjg1J94fEt', 'A3D1QIPPwj', 's1n1Y8VLOp'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, ToLbMo9a8oiNUeFH1w.cs High entropy of concatenated method names: 'RlYdQErUeu', 'cW3dimgfaM', 'fmFcoBbXBa', 'gW0cmqC3Yq', 'oiMdxbDK4R', 'I70dL7QRy5', 'livd6Xt0nX', 'cZ9dVqF8xr', 'i1MdyALSyb', 'RthdsYrYC3'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, sTmaNauvyiuEKRccFe.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ueuaYbNOpf', 'Qu0aiyTHLO', 'JAJaz0ym4A', 'WHBFoDTPWP', 'FtLFmIRNkH', 'mImFa0LoR1', 'tTkFFSNunI', 'AkJqEk2IUoIMqwPUbcM'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, JcJmk2oAYscblvokca.cs High entropy of concatenated method names: 'NnmZJnqn3', 'KvVOPcUUH', 'FSpNWAnuM', 'watrg9fR0', 'IVxkS4svl', 'qjmvdF0kU', 'lKjkNS3SnIiV1wwClS', 'GNeKvI4tjPa3FKFyE3', 'p4Hc06AWm', 'VbIDXeZGI'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, gUSAZDaJl2muiN3t7p.cs High entropy of concatenated method names: 'Dispose', 'LO1mYJmqXg', 'hLJaeXtqfc', 'WP2XXRpXM3', 'lJkmi26hqm', 'B56mztFmB9', 'ProcessDialogKey', 'VHbaoK8O4g', 'w1hamgaTtv', 'QQAaa4Q5MS'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, IM45ClFxZR46VVVerm.cs High entropy of concatenated method names: 'UZ4T4VGW0X', 'evlTk6JOfj', 'z9cTb7c25y', 'EeSTeE9YDF', 'Y7aTtwdMAH', 'P6OTIpJsYt', 'LTTTKvKRdZ', 'fcdTHG9YBX', 'm09TuCPwCV', 'SAXTxWRGis'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, FWElWKKW1m7suF4ggf.cs High entropy of concatenated method names: 'LTTcBE1oF4', 'UGKcqAHd65', 'v0bcAVHBDf', 'Jubc1pxyDv', 'EuCcGgLvIL', 'FkkcMrjqmu', 'e0wc3UY86y', 'UJCchrqYmx', 'cORcWZou1g', 'vA3cS7wfag'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, NEnjn21FUqRGdPMJIM.cs High entropy of concatenated method names: 'C1m9usHKD0', 'Bpt9LYkRwE', 'hms9Vqi4ex', 'XBF9yi6muE', 'Qi69eEZbTx', 'aNc9jKXgkf', 'pxd9tnYboq', 'LjL9IlIGwF', 'OpA97E2NLU', 'VwP9KHr3eA'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.4814850.7.raw.unpack, vachs6lEjSiNgOyon2.cs High entropy of concatenated method names: 'ejDF0vtN4v', 'I5ZFBB69ma', 'SYYFqVXy1Z', 'prvFA7au40', 'KIbF13SXSs', 'MLbFGXqQ0d', 'OB3FM5vs6D', 'g9CF3A08Hl', 'rSNFhlUCeE', 'k8IFWX1jod'
Source: 0.2.jW8UOYF1dk0W6Wm.exe.34ef688.3.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: jW8UOYF1dk0W6Wm.exe PID: 5104, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 1560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 34A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 1770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 7F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 8F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 90D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: A0D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 28F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 2B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: 28F0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199984 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199875 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199765 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199656 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199437 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199106 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199000 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198890 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198781 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198672 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198562 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198453 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198344 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198234 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198125 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198015 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197906 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197797 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197687 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197578 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197469 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197359 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197250 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197140 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197031 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196922 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196812 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196703 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196594 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196484 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196375 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Window / User API: threadDelayed 1674 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Window / User API: threadDelayed 8190 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 3372 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -98672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -98344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199106s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1199000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1198015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1197031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1196922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1196812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1196703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1196594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1196484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe TID: 7212 Thread sleep time: -1196375s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 98344 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199984 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199875 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199765 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199656 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199547 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199437 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199328 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199219 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199106 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1199000 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198890 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198781 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198672 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198562 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198453 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198344 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198234 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198125 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1198015 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197906 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197797 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197687 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197578 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197469 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197359 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197250 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197140 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1197031 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196922 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196812 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196703 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196594 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196484 Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Thread delayed: delay time: 1196375 Jump to behavior
Source: jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4080332899.0000000002F50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: RnrS0AEnArFUoxnKovtGnM3FR7DoxlvpUtIq7RilrQQUUUUAFFFFABRRRQAVARg4qemu
Source: jW8UOYF1dk0W6Wm.exe, 00000002.00000002.4076848054.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Memory written: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Process created: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe "C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.jW8UOYF1dk0W6Wm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4075644610.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4080332899.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1630917508.0000000004693000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW8UOYF1dk0W6Wm.exe PID: 5104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jW8UOYF1dk0W6Wm.exe PID: 6668, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.34ef688.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.386d734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.34ef688.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.386c71c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.3832cf0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1632660259.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1629653116.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1629653116.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\jW8UOYF1dk0W6Wm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.2.jW8UOYF1dk0W6Wm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4075644610.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4080332899.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1630917508.0000000004693000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW8UOYF1dk0W6Wm.exe PID: 5104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jW8UOYF1dk0W6Wm.exe PID: 6668, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.jW8UOYF1dk0W6Wm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.4755ba0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.471ab80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4075644610.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4080332899.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1630917508.0000000004693000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW8UOYF1dk0W6Wm.exe PID: 5104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jW8UOYF1dk0W6Wm.exe PID: 6668, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.34ef688.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.386d734.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.34ef688.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.7780000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.386c71c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW8UOYF1dk0W6Wm.exe.3832cf0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1632660259.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1629653116.00000000037F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1629653116.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436596 Sample: jW8UOYF1dk0W6Wm.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 19 mail.metalsbox.com 2->19 33 Snort IDS alert for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 9 other signatures 2->39 7 jW8UOYF1dk0W6Wm.exe 3 2->7         started        10 chrome.exe 1 2->10         started        signatures3 process4 dnsIp5 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Injects a PE file into a foreign processes 7->43 13 jW8UOYF1dk0W6Wm.exe 2 7->13         started        21 192.168.2.4, 138, 443, 49723 unknown unknown 10->21 23 239.255.255.250 unknown Reserved 10->23 17 chrome.exe 10->17         started        signatures6 process7 dnsIp8 25 mail.metalsbox.com 192.185.166.221, 49735, 49760, 49761 UNIFIEDLAYER-AS-1US United States 13->25 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->45 47 Tries to steal Mail credentials (via file / registry access) 13->47 49 Tries to harvest and steal ftp login credentials 13->49 51 2 other signatures 13->51 27 142.250.189.142, 443, 49784 GOOGLEUS United States 17->27 29 plus.l.google.com 142.250.217.174, 443, 49751 GOOGLEUS United States 17->29 31 5 other IPs or domains 17->31 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.189.142
 unknown United States
15169 GOOGLEUS false
142.250.217.206
 www3.l.google.com United States
15169 GOOGLEUS false
192.185.166.221
 mail.metalsbox.com United States
46606 UNIFIEDLAYER-AS-1US true
142.250.217.196
 www.google.com United States
15169 GOOGLEUS false
142.250.217.174
 plus.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
172.217.3.78
 play.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
plus.l.google.com 142.250.217.174 true
www3.l.google.com 142.250.217.206 true
play.google.com 172.217.3.78 true
mail.metalsbox.com 192.185.166.221 true
www.google.com 142.250.217.196 true
ogs.google.com unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en false
    		high
    https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
      		high
      https://www.google.com/async/newtab_promos false
        		high
        https://play.google.com/log?format=json&hasfast=true&authuser=0 false
          		high
          https://www.google.com/async/ddljson?async=ntp:2 false
            		high
            https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
              		high
              https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 false
                		high