Windows Analysis Report
c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe

Overview

General Information

Sample name: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Analysis ID: 1467942
MD5: e96cdfd7c641b4fea03541b97f6342a1
SHA1: 535e5952f7fa869edae1296ba904632207c44aef
SHA256: 1131e8baca9159531db856b4f814c52fd05e7dc32a5412d7e52a41e731e55be9
Tags: exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Avira: detected
Found malware configuration
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.technique.net.au", "Username": "logo@technique.net.au", "Password": "Business@2222"}
Multi AV Scanner detection for submitted file
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Virustotal: Detection: 54% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: _.pdb source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 122.201.84.5:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 122.201.84.5:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: mail.technique.net.au
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002854000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000028F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.technique.net.au
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095308322.00000000055E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3865071099.00000000055D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095038772.0000000005559000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548424836.0000000005547000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548447390.0000000005558000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095499511.0000000005A10000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002778000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A45000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548602855.0000000005590000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864525401.00000000055CF000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095308322.00000000055E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3865071099.00000000055D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095038772.0000000005559000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548424836.0000000005547000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548447390.0000000005558000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095499511.0000000005A10000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002778000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A45000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548602855.0000000005590000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864525401.00000000055CF000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864438719.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095088181.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864690101.00000000055E4000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864970405.000000000552A000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095276915.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864708408.00000000055FB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548978780.0000000005526000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.000000000049E000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095327160.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095293551.00000000055E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548753308.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864438719.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548488579.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095088181.0000000005571000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.000000000298F000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3549000830.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548837275.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548300536.000000000555F000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864690101.00000000055E4000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864970405.000000000552A000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094997378.000000000552B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002804000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095276915.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864708408.00000000055FB000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548978780.0000000005526000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092517684.000000000049E000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095327160.00000000055FD000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095293551.00000000055E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 3DlgK9re6m.cs .Net Code: xCBm
Installs a global keyboard hook
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, type: SAMPLE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0040DC11 0_2_0040DC11
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00407C3F 0_2_00407C3F
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00418CCC 0_2_00418CCC
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00406CA0 0_2_00406CA0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004028B0 0_2_004028B0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0041A4BE 0_2_0041A4BE
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00408C60 0_2_00408C60
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00418244 0_2_00418244
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00401650 0_2_00401650
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00402F20 0_2_00402F20
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004193C4 0_2_004193C4
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00418788 0_2_00418788
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00402F89 0_2_00402F89
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00402B90 0_2_00402B90
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004073A0 0_2_004073A0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0222D620 0_2_0222D620
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0222CA08 0_2_0222CA08
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0222CD50 0_2_0222CD50
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_02220FD0 0_2_02220FD0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_02221030 0_2_02221030
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05800500 0_2_05800500
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05B3C5A0 0_2_05B3C5A0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05B3DD90 0_2_05B3DD90
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05B3B7C8 0_2_05B3B7C8
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05B38358 0_2_05B38358
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05B30006 0_2_05B30006
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05B30040 0_2_05B30040
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_05B3D6A0 0_2_05B3D6A0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_061C3154 0_2_061C3154
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_061C3A10 0_2_061C3A10
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_064806A8 0_2_064806A8
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0648BF52 0_2_0648BF52
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0648BF60 0_2_0648BF60
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_06485BD1 0_2_06485BD1
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: String function: 0040E1D8 appears 43 times
Sample file is different than original file name gathered from version info
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092390288.0000000000444000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093598949.00000000026C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4092264042.0000000000198000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_.dll4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Binary or memory string: OriginalFilenamef2f28b76-fc5f-4a0c-983d-845e781e7a0d.exe4 vs c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe
Uses 32bit PE files
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, type: SAMPLE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Static PE information: Section: .rsrc ZLIB complexity 0.9952230798192772
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, slKb.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, mAKJ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, xQRSe0Fg.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, n3rhMa.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, MQzE4FWn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, nSmgRyX5a1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Mutant created: NULL
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Command line argument: 08A 0_2_00413780
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Virustotal: Detection: 54%
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
PE file contains an invalid checksum
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Static PE information: real checksum: 0x23bfb should be: 0x4d812
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0040E21D push ecx; ret 0_2_0040E230
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0040BB97 push dword ptr [ecx-75h]; iretd 0_2_0040BBA3
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_02224347 push ebp; iretd 0_2_02224360
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_02224752 pushad ; retf 0_2_02224755
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_02224F5E push edx; ret 0_2_02224F63
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_061CC250 push es; ret 0_2_061CC260
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_061C2856 push 14062C2Fh; retf 0_2_061C2865
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_064833F0 push es; ret 0_2_064833F4
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0648DF2F push ecx; ret 0_2_0648DF49
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zcCE8fodSZvj4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Memory allocated: 2180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Memory allocated: 26C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Memory allocated: 2180000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199581 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199344 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199212 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199080 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198579 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198329 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198204 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198079 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197954 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197579 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197329 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197204 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197079 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196954 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196579 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196250 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195969 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195787 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195640 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195524 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195422 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195310 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195203 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195094 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194969 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194860 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194735 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194610 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194485 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194360 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194235 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194110 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193985 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193860 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193735 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193610 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193485 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193360 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Window / User API: threadDelayed 2269 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Window / User API: threadDelayed 7545 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1199829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1199704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1199581s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1199454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1199344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1199212s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1199080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198329s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1198079s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197329s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1197079s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1196954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1196829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1196704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1196579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1196454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1196250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195524s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195310s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1195094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1194110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1193985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1193860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1193735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1193610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1193485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe TID: 1732 Thread sleep time: -1193360s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199581 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199344 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199212 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1199080 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198938 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198579 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198329 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198204 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1198079 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197954 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197579 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197329 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197204 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1197079 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196954 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196829 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196704 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196579 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196454 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1196250 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195969 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195787 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195640 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195524 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195422 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195310 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195203 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1195094 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194969 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194860 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194735 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194610 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194485 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194360 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194235 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1194110 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193985 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193860 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193735 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193610 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193485 Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Thread delayed: delay time: 1193360 Jump to behavior
Source: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.1653952673.0000000005A19000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3864546853.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000002.4095535541.0000000005A2B000.00000004.00000020.00020000.00000000.sdmp, c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe, 00000000.00000003.3548876333.0000000005A27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 0_2_004019F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree, 0_2_0040ADB0
Enables debug privileges
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040CE09
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040E61C
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00416F6A
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_004123F1 SetUnhandledExceptionFilter, 0_2_004123F1
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Memory allocated: page read and write | page guard Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: GetLocaleInfoA, 0_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00412A15
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093598949.000000000270C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe PID: 6668, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.50e0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229fb46.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.2610ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.229ec5e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c2e57fb2b8206bd9b5d05d8a9b0d2e78082dd303ee6364b288d568fcd48900f7_dump.exe.4e96e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4094244027.0000000003745000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4094811322.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1639474007.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093403417.0000000002610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4093243032.000000000225E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
122.201.84.5
 mail.technique.net.au Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true

Contacted Domains

Name IP Active
mail.technique.net.au 122.201.84.5 true
api.ipify.org 104.26.12.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown