Windows Analysis Report
739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe

Overview

General Information

Sample name: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Analysis ID: 1446056
MD5: 784ba798f9aa395a8ed0cd2d1e557320
SHA1: d368d6b2507f3523702b855a19f0b6eb8380320b
SHA256: 3979eb243225878a1331722d77eeb7d5937691a9e81322bfe24f5ae23aa855f6
Tags: AgentTeslaexeFedEx
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Avira: detection malicious, Label: TR/AD.GenSteal.xzcol
Found malware configuration
Source: 6.2.skyT.exe.451d730.9.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.adgumrukmusavirligi.com", "Username": "gizemcevik@adgumrukmusavirligi.com", "Password": "GizCvk2019!."}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4x nop then jmp 073CBF37h 0_2_073CBC83
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 4x nop then jmp 0772B847h 6_2_0772B593
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 4x nop then jmp 06CEB847h 9_2_06CEB593

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:60101 -> 94.199.206.42:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:60101 -> 94.199.206.42:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:60100 -> 94.199.206.42:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 94.199.206.42 94.199.206.42
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AEROTEK-ASTR AEROTEK-ASTR
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:60100 -> 94.199.206.42:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mail.adgumrukmusavirligi.com
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://adgumrukmusavirligi.com
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.adgumrukmusavirligi.com
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2136429481.000000000315D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000006.00000002.2294417914.000000000324D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2353162012.00000000028B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, cPKWk.cs .Net Code: m1v5IQ8
Installs a global keyboard hook
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\skyT\skyT.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\skyT\skyT.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, Resources.cs Large array initialization: : array initializer size 635609
Detected potential crypto function
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_017CE02C 0_2_017CE02C
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073CB392 0_2_073CB392
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C8300 0_2_073C8300
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C63E8 0_2_073C63E8
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C82F0 0_2_073C82F0
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073CE120 0_2_073CE120
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C5FB0 0_2_073C5FB0
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C7EB8 0_2_073C7EB8
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C7EC8 0_2_073C7EC8
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C7A90 0_2_073C7A90
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_073C7A80 0_2_073C7A80
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_02B09758 4_2_02B09758
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_02B04AA8 4_2_02B04AA8
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_02B03E90 4_2_02B03E90
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_02B08F90 4_2_02B08F90
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_02B0CC18 4_2_02B0CC18
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_02B041D8 4_2_02B041D8
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_02B0CFC2 4_2_02B0CFC2
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C1768 4_2_062C1768
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C2F10 4_2_062C2F10
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C6DDC 4_2_062C6DDC
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C09C0 4_2_062C09C0
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C8108 4_2_062C8108
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C8103 4_2_062C8103
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C8DF7 4_2_062C8DF7
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 4_2_062C2828 4_2_062C2828
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_02FBE02C 6_2_02FBE02C
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_07728300 6_2_07728300
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_077263E8 6_2_077263E8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_077282F0 6_2_077282F0
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_07727EC8 6_2_07727EC8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_07727EB8 6_2_07727EB8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_0772DA38 6_2_0772DA38
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_07727A90 6_2_07727A90
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 6_2_07727A80 6_2_07727A80
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C591D8 7_2_02C591D8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C59628 7_2_02C59628
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C5CAE8 7_2_02C5CAE8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C54AA8 7_2_02C54AA8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C53E90 7_2_02C53E90
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C58E5C 7_2_02C58E5C
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C541D8 7_2_02C541D8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C519C0 7_2_02C519C0
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_06380448 7_2_06380448
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_063811F0 7_2_063811F0
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_06386C54 7_2_06386C54
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_06382D98 7_2_06382D98
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_063822B0 7_2_063822B0
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_06387F88 7_2_06387F88
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_06387F82 7_2_06387F82
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_06388C76 7_2_06388C76
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 7_2_02C5CE90 7_2_02C5CE90
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_026BE02C 9_2_026BE02C
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D10040 9_2_04D10040
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D1001F 9_2_04D1001F
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D1AF30 9_2_04D1AF30
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE82FB 9_2_06CE82FB
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE63E8 9_2_06CE63E8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE8300 9_2_06CE8300
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE7EC8 9_2_06CE7EC8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE7EC3 9_2_06CE7EC3
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE7EF5 9_2_06CE7EF5
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE5FB0 9_2_06CE5FB0
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE7A8B 9_2_06CE7A8B
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE7A90 9_2_06CE7A90
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CEDA38 9_2_06CEDA38
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_017E9628 10_2_017E9628
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_017ECAE8 10_2_017ECAE8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_017E4AA8 10_2_017E4AA8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_017E3E90 10_2_017E3E90
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_017E41D8 10_2_017E41D8
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_06640448 10_2_06640448
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_06646C54 10_2_06646C54
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_06647F83 10_2_06647F83
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_06647F88 10_2_06647F88
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_06648C77 10_2_06648C77
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_06646C48 10_2_06646C48
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_017ECE90 10_2_017ECE90
Sample file is different than original file name gathered from version info
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2140332453.0000000007F20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2134386068.00000000012EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2139860310.00000000076C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2136429481.000000000315D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename10920149-2e8b-4d10-98dd-faef01bf06fc.exe4 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000000.2102695337.0000000000E6A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLoud.exeJ vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2136429481.00000000030F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename10920149-2e8b-4d10-98dd-faef01bf06fc.exe4 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4570035103.0000000000D38000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Binary or memory string: OriginalFilenameLoud.exeJ vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Uses 32bit PE files
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.cs Security API names: _0020.SetAccessControl
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.cs Security API names: _0020.AddAccessRule
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, mjY8HAPE3JTDE1XrJ4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.3143a20.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.3133a14.6.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.349dda4.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.7360000.10.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/9@1/1
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Mutant created: \Sessions\1\BaseNamedObjects\UZnjywb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdqkews5.pfg.ps1 Jump to behavior
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000007.00000002.4573886453.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000007.00000002.4573886453.0000000002F08000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 0000000A.00000002.4574644878.0000000003309000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 0000000A.00000002.4574644878.00000000032F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File read: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe" Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe" Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, GameOfLife.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, GameOfLife.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.cs .Net Code: HNZ2kEsUwE System.Reflection.Assembly.Load(byte[])
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.7f20000.13.raw.unpack, LoginForm.cs .Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.31165f8.3.raw.unpack, LoginForm.cs .Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Code function: 0_2_017CB920 push 18418B05h; ret 0_2_017CBB83
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_026BE16A push ebx; retf 9_2_026BE172
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D122A1 push ebp; retf 9_2_04D122A3
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D163D0 pushfd ; retf 9_2_04D163D6
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D18FA0 pushfd ; retf 9_2_04D18FAE
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D11498 push esi; retf 9_2_04D1179E
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D110C3 push esp; retf 9_2_04D110D2
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D110B3 push esi; retf 9_2_04D110B2
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D110B3 push edi; retf 9_2_04D110C2
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D110A7 push esi; retf 9_2_04D110B2
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D11E97 push esp; retf 9_2_04D11EA6
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_04D11850 push esp; retf 9_2_04D1185E
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CEBECA push esp; retf 9_2_06CEBED6
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE2F88 pushad ; iretd 9_2_06CE2F89
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE8A70 pushad ; iretd 9_2_06CE8A79
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 9_2_06CE8947 push eax; iretd 9_2_06CE8949
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_066422A0 push cs; iretd 10_2_066422AA
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Code function: 10_2_06641913 push es; iretd 10_2_0664191A
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Static PE information: section name: .text entropy: 7.964960726010625
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, YStk5IOYjMqj0EeRG4.cs High entropy of concatenated method names: 'y8llyA8diO', 'cuKlUMhg9u', 'jnRlsXm49E', 'ONGshFIwPZ', 'HTdszZ9seA', 'pq7lKcEjWV', 'zjwlNTxCIJ', 'O90lZYF4HG', 'Lxilv0uNZL', 'gSEl2RQsNf'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, mjY8HAPE3JTDE1XrJ4.cs High entropy of concatenated method names: 'CwnJeie5Vh', 'pQYJHhZWuj', 'rKPJu7y2sN', 'a7MJbSn4TV', 'SfDJX2wmt6', 'ySGJg3Np7C', 'Bj1JB3Bqpy', 'PiDJV7DmWn', 'xhOJ0hxx3g', 'CQUJhNxoCR'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.cs High entropy of concatenated method names: 'Gjav8yXRGC', 'SEavyyESvT', 'xNMvJImL4Y', 'XOvvU4QPx6', 'DDHvrWlq6o', 'KcCvs0U4om', 'dWqvlRr3hu', 'g3ivfqwuFY', 'He1viogOg5', 'NaVv3d3uHQ'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, sSUVfO93Njxw0miDEa.cs High entropy of concatenated method names: 'qDhrw7ROkD', 'zVWrYmXT0I', 'yOZUckIxln', 'UpTUp0EyAY', 'vyfULylTm6', 'dNuU7xQJ92', 'Go0UOxbY9L', 'hfTU6w9XWX', 'S5gUSQXvfd', 'FNnUaOW8iT'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, ckDAAq0mjRsFIG5IC4.cs High entropy of concatenated method names: 'iBRnGa5XFc', 'EBwn5fmbkp', 'N4Znc4Ki5G', 'bpWnp07a2R', 'iuVneruxgT', 'AAKnLwxCnL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, qef9sBImAwUNe94EJd.cs High entropy of concatenated method names: 'heIqPYwsin', 'V4FqjccVv7', 'yZ5qGPXVTZ', 'zSBq50q9Xw', 'rZEqp6tJ3d', 'gMVqLOd4PL', 'chNqOU9AHH', 'k2Rq6FBom0', 'AnIqa7527c', 'CG4qQuVj62'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, PmKD6VgRIMxp3hCBB0.cs High entropy of concatenated method names: 'grUtV5OgEQ', 'gytthVNKZT', 'H2lnK47xyc', 'Ay5nNgjpsn', 'KxUtQtXUhT', 'r1ctxOJGHL', 'pT4tIqKbA8', 'xLateO1Ql6', 'j08tHATUQv', 'cdituq5OWn'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, wYWvuM2xsZWf6Kko5I.cs High entropy of concatenated method names: 'r1RNljY8HA', 's3JNfTDE1X', 'lyrN3qFEvp', 'Ow4NRNFSUV', 'viDNdEaJCh', 'rlXNA2iTj9', 'NqHNhaBvGDcJlpywvy', 'S2QJTPjyandZlgOs0U', 'VhLNNXbr38', 'GsWNvEo9B3'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, KBhn4QhP2O2VFnHvhf.cs High entropy of concatenated method names: 'llsENjs9Ls', 'YbTEv2RvpX', 'D8hE2ICTq7', 'wt3Ey06JQ7', 'G7sEJw8cU5', 'gXUEroGhe9', 'G4wEs6lbkt', 'wasnB1mTGW', 'lg2nVWZZHZ', 'ULin0MYuHt'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, PyTJP3jyrqFEvpQw4N.cs High entropy of concatenated method names: 'asPUo4SVpj', 'krsUTqQo7E', 'KIqUP1LfPF', 'ITaUj2QrNf', 'l7nUdJFqYc', 'J89UAkOhB0', 'U5jUtpsvLh', 'TagUnQV396', 'PUZUEw2GIG', 'tGjUFS0NsB'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, fEX4WANvdXcGc1eTU4s.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'njnFer97Jr', 'DqLFHsYJNP', 'GlGFuLWHIL', 'mY2FbaJRQB', 'd9VFXvSr2G', 'VMiFgrDG0F', 'Gj3FB4Xl72'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, nrUakDuYsKXrr3RcGT.cs High entropy of concatenated method names: 'ToString', 'Ay1AQ3Spsq', 'kcyA5bSECd', 'XcNAcFFY3Z', 'KHIApPZ7p3', 'SNIALOJx0B', 'IHjA78DbDf', 'w0XAOlgllW', 's1bA60fibD', 'HbTASnQaqS'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, QKKt0uZUBaLghvtnCj.cs High entropy of concatenated method names: 'b70kvT54C', 'CiZob7nA8', 'R13TBIVlf', 'JRLYvuyaI', 'hbfjGIJDu', 'le89xYK6B', 'ADEchtw4raIhp8inyc', 'J8p8vUQZGBMtl2syki', 'rBBn7x4Ip', 'TCXFxVK9m'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, xlbPoNSZIT2A7lpgVn.cs High entropy of concatenated method names: 'eiZlDEjjTU', 'GKVlMcUlPL', 'MONlktd5X2', 'bpdloA1lth', 'yE0lwJssSf', 'vrZlTkRJXx', 'Aq4lYXO7YR', 'UNglPrrvBu', 'g6hljWy2Q0', 'YSDl9b1g21'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, gChElXG2iTj9pmYkL4.cs High entropy of concatenated method names: 'owWs8F6uNm', 'DaYsJjUolR', 'CyysrV9f1o', 'R8Ksl90Xsy', 'BfesfrTR3j', 'yeqrXhIbPr', 'NbHrg8xyFS', 'n1HrBKeELh', 'vFZrVfkvw1', 'jOHr0oRCC6'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, idbalSevs0md1CRtV0.cs High entropy of concatenated method names: 'EVYda1gQlQ', 'ehZdxvEubf', 'XvZdeEuHrW', 'neBdHorEwW', 'AlHd5D7rRk', 'NKxdcHKGpD', 'OLedpyd6sR', 'yUcdLpCifq', 'UNad7SSl8N', 'LradOriPNC'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, eXZIWhV1g8iGIrxMco.cs High entropy of concatenated method names: 'pLvnyKoxD2', 'ChsnJEwAfE', 'wRUnU24gfA', 'c51nrG2IAI', 'E4unsEIJkp', 'yPMnlR85hX', 'lxdnfLnRE4', 'vhEnidjqWq', 'Wjxn3bUtkn', 'P3knR8wKZW'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, oQXkeEJFwLoP2MaAn3.cs High entropy of concatenated method names: 'Dispose', 'jFcN0qCPq3', 'IfgZ5ZWbZQ', 'Ggk44gJNKi', 'j8XNhZIWh1', 'U8iNzGIrxM', 'ProcessDialogKey', 'IoZZKkDAAq', 'vjRZNsFIG5', 'QC4ZZ7Bhn4'
Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, yHAGFTNKKDjK5iO9ZJr.cs High entropy of concatenated method names: 'uUgED16u5h', 'VtgEMQxdPf', 'pQJEk7rjCD', 'gdPEocDeKA', 'Tf0Ewb2H7K', 'SlCETQ5kEF', 'hTlEY9NTpS', 'f04EPnBWQv', 'KOCEj5W48V', 'cWoE9pccNk'
Drops PE files
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File created: C:\Users\user\AppData\Roaming\skyT\skyT.exe Jump to dropped file
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run skyT Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run skyT Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File opened: C:\Users\user\AppData\Roaming\skyT\skyT.exe:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 17A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 50F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 7F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 8F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 90F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: A0F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 11B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 2C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: 4C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 2F70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 31E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 3000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 7A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 8A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 7A20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 2C50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 2E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 4E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 25C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 25C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 7060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 8060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 82F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 92F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 1690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 3220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory allocated: 3130000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399890 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399781 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399670 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399547 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399437 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399327 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399217 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399094 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398969 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398860 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398735 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398610 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398485 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398344 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398234 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398125 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398014 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397891 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397766 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397656 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397547 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397438 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397313 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397188 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397078 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396969 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396844 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396735 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396610 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396496 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396389 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396262 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396156 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396045 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395933 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395813 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395703 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395591 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395469 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395360 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395235 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395110 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394985 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394860 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394749 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394640 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394531 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394422 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399657 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399436 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398969 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398726 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398625 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398391 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398031 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397813 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397340 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397016 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396782 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396657 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396532 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396420 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396309 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395979 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395762 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395641 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395391 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395282 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395157 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394918 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394803 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394686 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394124 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2400000
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399887
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399776
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399656
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399545
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399437
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399328
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399218
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399109
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399000
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398890
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398780
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398671
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398561
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398453
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398343
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398234
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398122
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398015
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397906
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397796
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397687
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397578
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397466
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397355
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397234
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397125
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397015
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396906
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396796
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396685
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396578
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396468
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396359
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396250
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396140
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396030
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395921
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395812
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395703
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395593
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395484
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395374
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395265
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395156
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395046
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394937
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394828
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394718
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394609
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394500
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6041 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3278 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Window / User API: threadDelayed 2340 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Window / User API: threadDelayed 7492 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Window / User API: threadDelayed 6900 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Window / User API: threadDelayed 2943 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Window / User API: threadDelayed 2312
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Window / User API: threadDelayed 7541
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 3080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2548 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5004 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2400000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 2612 Thread sleep count: 2340 > 30 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 2612 Thread sleep count: 7492 > 30 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399670s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399327s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399217s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2399094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2398014s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2397078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396496s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396389s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396262s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2396045s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395933s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395591s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2395110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2394985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2394860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2394749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2394640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2394531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2394422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548 Thread sleep time: -2394281s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4328 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2400000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 3924 Thread sleep count: 6900 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 3924 Thread sleep count: 2943 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399657s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399436s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2399110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2398969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2398844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2398726s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2398625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2398516s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2398391s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2398031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397813s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397340s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2397016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396782s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396657s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396532s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396420s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396309s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2396094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395979s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395762s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395516s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395391s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395282s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395157s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2395032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394918s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394803s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394686s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084 Thread sleep time: -2394124s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 5044 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2400000s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 5156 Thread sleep count: 2312 > 30
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399887s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 5156 Thread sleep count: 7541 > 30
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399776s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399656s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399545s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399437s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399328s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399218s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399109s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2399000s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398890s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398780s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398671s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398561s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398453s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398343s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398234s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398122s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2398015s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397906s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397796s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397687s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397578s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397466s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397355s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397234s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397125s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2397015s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396906s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396796s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396685s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396578s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396468s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396359s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396250s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396140s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2396030s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395921s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395812s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395703s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395593s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395484s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395374s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395265s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395156s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2395046s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2394937s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2394828s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2394718s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2394609s >= -30000s
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600 Thread sleep time: -2394500s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399890 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399781 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399670 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399547 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399437 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399327 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399217 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2399094 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398969 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398860 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398735 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398610 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398485 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398344 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398234 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398125 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2398014 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397891 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397766 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397656 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397547 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397438 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397313 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397188 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2397078 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396969 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396844 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396735 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396610 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396496 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396389 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396262 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396156 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2396045 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395933 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395813 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395703 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395591 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395469 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395360 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395235 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2395110 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394985 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394860 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394749 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394640 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394531 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394422 Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Thread delayed: delay time: 2394281 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399657 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399436 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398969 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398844 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398726 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398625 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398391 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398031 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397922 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397813 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397453 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397340 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397016 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396782 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396657 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396532 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396420 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396309 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395979 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395762 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395641 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395391 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395282 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395157 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394918 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394803 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394686 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394124 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2400000
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399887
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399776
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399656
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399545
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399437
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399328
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399218
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399109
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2399000
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398890
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398780
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398671
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398561
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398453
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398343
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398234
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398122
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2398015
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397906
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397796
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397687
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397578
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397466
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397355
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397234
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397125
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2397015
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396906
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396796
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396685
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396578
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396468
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396359
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396250
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396140
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2396030
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395921
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395812
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395703
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395593
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395484
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395374
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395265
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395156
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2395046
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394937
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394828
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394718
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394609
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Thread delayed: delay time: 2394500
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4577974413.00000000061A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Memory written: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory written: C:\Users\user\AppData\Roaming\skyT\skyT.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Memory written: C:\Users\user\AppData\Roaming\skyT\skyT.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe" Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Process created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Process created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe" Jump to behavior
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 07/23/2024 16:41:09<br>User Name: user<br>Computer Name: 141700<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}r{Win}r
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q3<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q?<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}r{Win}rTH
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q><b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}r{Win}TH
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q9<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}rTH
Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q8<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}TH
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1396, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4573886453.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4574644878.000000000322B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 3160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1396, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1656, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1396, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446056 Sample: 739077083533. FedEX_1310097... Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 32 mail.adgumrukmusavirligi.com 2->32 34 adgumrukmusavirligi.com 2->34 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 13 other signatures 2->54 8 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe 4 2->8         started        11 skyT.exe 3 2->11         started        13 skyT.exe 2 2->13         started        signatures3 process4 signatures5 56 Adds a directory exclusion to Windows Defender 8->56 58 Injects a PE file into a foreign processes 8->58 15 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe 1 5 8->15         started        20 powershell.exe 22 8->20         started        60 Antivirus detection for dropped file 11->60 62 Multi AV Scanner detection for dropped file 11->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->64 66 Machine Learning detection for dropped file 11->66 22 skyT.exe 2 11->22         started        24 skyT.exe 13->24         started        process6 dnsIp7 36 adgumrukmusavirligi.com 94.199.206.42, 587, 60100, 60101 AEROTEK-ASTR Turkey 15->36 28 C:\Users\user\AppData\Roaming\skyT\skyT.exe, PE32 15->28 dropped 30 C:\Users\user\...\skyT.exe:Zone.Identifier, ASCII 15->30 dropped 38 Tries to steal Mail credentials (via file / registry access) 15->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->40 42 Installs a global keyboard hook 15->42 44 Loading BitLocker PowerShell Module 20->44 26 conhost.exe 20->26         started        46 Tries to harvest and steal browser information (history, passwords, etc) 24->46 file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.199.206.42
 adgumrukmusavirligi.com Turkey
42807 AEROTEK-ASTR true

Contacted Domains

Name IP Active
adgumrukmusavirligi.com 94.199.206.42 true
mail.adgumrukmusavirligi.com unknown unknown