Windows Analysis Report
PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe

Overview

General Information

Sample name: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Analysis ID: 1525500
MD5: 96a7ec39104585a6dedc95933dd9ac66
SHA1: 3dcbb5b705081ea3a822bcc29d0bcc85626d45ed
SHA256: 44562817ca024e665e0c44fa1911e74d210f938a29518ce0b186a11bbff1ff72
Tags: exeuser-lowmal3
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Avira: detection malicious, Label: HEUR/AGEN.1310836
Found malware configuration
Source: 8.2.InstallUtil.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.alternatifplastik.com", "Username": "fgghv@alternatifplastik.com", "Password": "Fineboy777@"}
Multi AV Scanner detection for domain / URL
Source: wymascensores.com Virustotal: Detection: 11% Perma Link
Source: https://wymascensores.com/ozeli/Xibknlpkg.vdf Virustotal: Detection: 10% Perma Link
Source: https://wymascensores.com/ozeli/Xibknlpkg.vdf18p6Mu3xADDSL Virustotal: Detection: 10% Perma Link
Source: https://wymascensores.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Iujcy.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Virustotal: Detection: 31% Perma Link
Multi AV Scanner detection for submitted file
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe ReversingLabs: Detection: 31%
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Virustotal: Detection: 31% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1316499062.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1544555962.00000000037B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1316499062.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1544555962.00000000037B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_057D0260
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_057D0255
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05AFFDF8
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05AF3AEEh 0_2_05AF3C8D
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05AFFE00
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05AFB708h 0_2_05AFB648
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05AFB708h 0_2_05AFB650
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05AF3400h 0_2_05AF3380
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05AF3400h 0_2_05AF3370
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05AF3AEEh 0_2_05AF3A88
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05AF3AEEh 0_2_05AF3A7B
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05B00D0Ah 0_2_05B00CA0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05B00D0Ah 0_2_05B00C92
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05B00D0Ah 0_2_05B00FBC
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 4x nop then jmp 05B00D0Ah 0_2_05B00E5D
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 10_2_05E70260
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 10_2_05E70255
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_0619FE00
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 0619B708h 10_2_0619B650
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 0619B708h 10_2_0619B648
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 06193AEEh 10_2_06193C8D
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_0619FDF8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 06193AEEh 10_2_06193A7A
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 06193AEEh 10_2_06193A88
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 06193400h 10_2_06193370
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 06193400h 10_2_06193380
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 061A0D0Ah 10_2_061A0E65
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 061A0D0Ah 10_2_061A0C92
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 061A0D0Ah 10_2_061A0CA0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 13_2_05D7035D
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 13_2_05D70368
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F53AF6h 13_2_05F53C95
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F53000h 13_2_05F52F80
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F53000h 13_2_05F52F70
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F5B708h 13_2_05F5B650
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F5B708h 13_2_05F5B648
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 13_2_05F5FE00
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 13_2_05F5FE08
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F53AF6h 13_2_05F53A90
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F53AF6h 13_2_05F53A83
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F60D0Ah 13_2_05F60CA0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F60D0Ah 13_2_05F60C91
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 4x nop then jmp 05F60D0Ah 13_2_05F60E65

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.7:49701 -> 5.2.84.236:52560
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.7:49700 -> 5.2.84.236:21
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.7:49760 -> 5.2.84.236:53494
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.7:49740 -> 5.2.84.236:21
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.7:49796 -> 5.2.84.236:21
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.7:49812 -> 5.2.84.236:51014
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 5.2.84.236 ports 52560,1,2,53494,51014,21
Yara detected Generic Downloader
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49701 -> 5.2.84.236:52560
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.212.175.162 67.212.175.162
Source: Joe Sandbox View IP Address: 5.2.84.236 5.2.84.236
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ALASTYRTR ALASTYRTR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses FTP
Source: unknown FTP traffic detected: 5.2.84.236:21 -> 192.168.2.7:49700 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 11:41. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 11:41. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 11:41. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 100 allowed.220-Local time is now 11:41. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 10 minutes of inactivity.
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ozeli/Xibknlpkg.vdf HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: wymascensores.com
Source: global traffic DNS traffic detected: DNS query: ftp.alternatifplastik.com
Source: InstallUtil.exe, 00000008.00000002.1413730064.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1413730064.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.1516278275.000000000315E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.1516278275.000000000316C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2503048867.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2503048867.000000000300C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.alternatifplastik.com
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1413730064.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.1516278275.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000002.2503048867.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.1406060277.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1441897050.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.0000000003196000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1441897050.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1544555962.00000000038FB000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1544555962.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.0000000002D85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000025E7000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.00000000027F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Iujcy.exe, 0000000D.00000002.1548837966.0000000005B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wdcp.micros
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.00000000027DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.00000000027B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com/ozeli/Xibknlpkg.vdf
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, Iujcy.exe.0.dr String found in binary or memory: https://wymascensores.com/ozeli/Xibknlpkg.vdf18p6Mu3xADDSL
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.7:49775 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.2.Iujcy.exe.3910328.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Iujcy.exe.3910328.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 10.2.Iujcy.exe.3ee4480.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.Iujcy.exe.3ee4480.4.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 13.2.Iujcy.exe.3910328.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Iujcy.exe.3910328.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 10.2.Iujcy.exe.3ee4480.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.Iujcy.exe.3ee4480.4.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.35a9550.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.35a9550.2.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AFE408 NtResumeThread, 0_2_05AFE408
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AFCF18 NtProtectVirtualMemory, 0_2_05AFCF18
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AFE400 NtResumeThread, 0_2_05AFE400
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0619CF18 NtProtectVirtualMemory, 10_2_0619CF18
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0619E408 NtResumeThread, 10_2_0619E408
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0619E400 NtResumeThread, 10_2_0619E400
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F5E410 NtResumeThread, 13_2_05F5E410
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F5CB18 NtProtectVirtualMemory, 13_2_05F5CB18
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F5E408 NtResumeThread, 13_2_05F5E408
Detected potential crypto function
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_00D22090 0_2_00D22090
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_00D220A0 0_2_00D220A0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_00D226F0 0_2_00D226F0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_057D75C0 0_2_057D75C0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_057D4EE0 0_2_057D4EE0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_057D89BC 0_2_057D89BC
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_057DA530 0_2_057DA530
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_057DD5D0 0_2_057DD5D0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_057D1798 0_2_057D1798
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_057D1788 0_2_057D1788
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05843D90 0_2_05843D90
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_0584C0A8 0_2_0584C0A8
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05843D81 0_2_05843D81
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_0584C0A1 0_2_0584C0A1
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_058420E8 0_2_058420E8
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_058420F8 0_2_058420F8
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05844332 0_2_05844332
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_0584CB71 0_2_0584CB71
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF9DF8 0_2_05AF9DF8
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF5AF0 0_2_05AF5AF0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF9DE9 0_2_05AF9DE9
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AFBC80 0_2_05AFBC80
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AFCC80 0_2_05AFCC80
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF3F00 0_2_05AF3F00
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF3F10 0_2_05AF3F10
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF7028 0_2_05AF7028
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF7038 0_2_05AF7038
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF0040 0_2_05AF0040
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AF5AE0 0_2_05AF5AE0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B094A0 0_2_05B094A0
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B09490 0_2_05B09490
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B10040 0_2_05B10040
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B13A90 0_2_05B13A90
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B11648 0_2_05B11648
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B10367 0_2_05B10367
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05CAD808 0_2_05CAD808
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05C90040 0_2_05C90040
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05C90006 0_2_05C90006
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05CACBA8 0_2_05CACBA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_01134A60 8_2_01134A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_01139C68 8_2_01139C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0113CF28 8_2_0113CF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_01133E48 8_2_01133E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_01134190 8_2_01134190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C56B0 8_2_060C56B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C0040 8_2_060C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C3F28 8_2_060C3F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060CBCC8 8_2_060CBCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C9AA0 8_2_060C9AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C2AE8 8_2_060C2AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C8B5A 8_2_060C8B5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060CDBF8 8_2_060CDBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C321B 8_2_060C321B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_060C4FD0 8_2_060C4FD0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_00F420A0 10_2_00F420A0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_00F42090 10_2_00F42090
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_00F426F0 10_2_00F426F0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E775C0 10_2_05E775C0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E74EE0 10_2_05E74EE0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E789BC 10_2_05E789BC
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E7D5D0 10_2_05E7D5D0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E7A530 10_2_05E7A530
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E71788 10_2_05E71788
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E71798 10_2_05E71798
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05E74ED0 10_2_05E74ED0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EE3D90 10_2_05EE3D90
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EEC0A8 10_2_05EEC0A8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EE3D81 10_2_05EE3D81
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EE20E8 10_2_05EE20E8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EE20F8 10_2_05EE20F8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EEC09A 10_2_05EEC09A
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EECB71 10_2_05EECB71
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EE4333 10_2_05EE4333
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06199DF8 10_2_06199DF8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06195AF0 10_2_06195AF0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06193F10 10_2_06193F10
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06193F06 10_2_06193F06
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0619BC80 10_2_0619BC80
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0619CC80 10_2_0619CC80
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06199DE9 10_2_06199DE9
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06195AE4 10_2_06195AE4
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06197038 10_2_06197038
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06197028 10_2_06197028
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06190040 10_2_06190040
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061A85C8 10_2_061A85C8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061A836C 10_2_061A836C
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061A716F 10_2_061A716F
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061B0040 10_2_061B0040
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061B1648 10_2_061B1648
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061B0367 10_2_061B0367
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0634D808 10_2_0634D808
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0634CBA8 10_2_0634CBA8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0633003B 10_2_0633003B
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06330040 10_2_06330040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02FB93F8 11_2_02FB93F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02FB4A60 11_2_02FB4A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02FB3E48 11_2_02FB3E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02FBCF28 11_2_02FBCF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02FB9C70 11_2_02FB9C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02FB4190 11_2_02FB4190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_065656A8 11_2_065656A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_06560040 11_2_06560040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_06562EE8 11_2_06562EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_06563F20 11_2_06563F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0656DC00 11_2_0656DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_0656BCC0 11_2_0656BCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_06569A98 11_2_06569A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_06568B60 11_2_06568B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_06563630 11_2_06563630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_06564FC8 11_2_06564FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02FB9C68 11_2_02FB9C68
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_00DF21F8 13_2_00DF21F8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_00DF2208 13_2_00DF2208
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_00DF2C58 13_2_00DF2C58
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_00DF2C48 13_2_00DF2C48
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D74FE8 13_2_05D74FE8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D786E4 13_2_05D786E4
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D772E8 13_2_05D772E8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D74FD8 13_2_05D74FD8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D7D700 13_2_05D7D700
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D71890 13_2_05D71890
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D718A0 13_2_05D718A0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05D7A258 13_2_05D7A258
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DE4190 13_2_05DE4190
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DEC0A0 13_2_05DEC0A0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DE24F8 13_2_05DE24F8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DE24E8 13_2_05DE24E8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DE4732 13_2_05DE4732
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DE4181 13_2_05DE4181
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DEC093 13_2_05DEC093
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DECF80 13_2_05DECF80
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DECF71 13_2_05DECF71
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F59DF8 13_2_05F59DF8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F556F8 13_2_05F556F8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F59DE9 13_2_05F59DE9
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F5BC80 13_2_05F5BC80
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F53F18 13_2_05F53F18
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F53F08 13_2_05F53F08
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F556EC 13_2_05F556EC
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F5C880 13_2_05F5C880
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F50040 13_2_05F50040
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F57040 13_2_05F57040
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F57008 13_2_05F57008
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F684A0 13_2_05F684A0
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F68491 13_2_05F68491
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F70040 13_2_05F70040
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F71648 13_2_05F71648
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F70367 13_2_05F70367
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_0624D808 13_2_0624D808
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_0624CBA8 13_2_0624CBA8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_06230006 13_2_06230006
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_06230040 13_2_06230040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_02E34A60 14_2_02E34A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_02E33E48 14_2_02E33E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_02E3CFE9 14_2_02E3CFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_02E39C69 14_2_02E39C69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_02E34190 14_2_02E34190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_063756A8 14_2_063756A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_06370040 14_2_06370040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_06372EE8 14_2_06372EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_06373F20 14_2_06373F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0637BCC0 14_2_0637BCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_06378B52 14_2_06378B52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0637DBF0 14_2_0637DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0637361B 14_2_0637361B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_06374FC8 14_2_06374FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_02E39C62 14_2_02E39C62
Sample file is different than original file name gathered from version info
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000000.1255560038.00000000000E2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWcbnxpci.exe2 vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000029BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1314610366.00000000056B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameHdvbwcwj.dll" vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWcbnxpci.exe2 vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000028FB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1289616229.00000000006DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000025E7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000025E7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1314300994.0000000005638000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWcbnxpci.exe2 vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1316499062.0000000005B90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Binary or memory string: OriginalFilenameWcbnxpci.exe2 vs PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe
Uses 32bit PE files
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 13.2.Iujcy.exe.3910328.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Iujcy.exe.3910328.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 10.2.Iujcy.exe.3ee4480.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.Iujcy.exe.3ee4480.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 13.2.Iujcy.exe.3910328.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Iujcy.exe.3910328.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 10.2.Iujcy.exe.3ee4480.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.Iujcy.exe.3ee4480.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.35a9550.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.35a9550.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe File created: C:\Users\user\AppData\Roaming\Iujcy.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe ReversingLabs: Detection: 31%
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Virustotal: Detection: 31%
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe String found in binary or memory: SingularUMatrix5SingularUMatrixWithElement5SingularVectorsNotComputedMSpecialCasePlannedButNotImplementedYet-StopCriterionDuplicate)StopCriterionMissing#StringNullOrEmpty
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe File read: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe "C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe"
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Iujcy.exe "C:\Users\user\AppData\Roaming\Iujcy.exe"
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Iujcy.exe "C:\Users\user\AppData\Roaming\Iujcy.exe"
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static file information: File size 1559040 > 1048576
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x17c000
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1316499062.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1544555962.00000000037B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000028FB000.00000004.00000800.00020000.00000000.sdmp, PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1316499062.0000000005B90000.00000004.08000000.00040000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.0000000002CD3000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1544555962.00000000037B8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1315295077.0000000005850000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5b90000.7.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.5920000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1409827566.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1315698020.0000000005920000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290774383.00000000025E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1515623045.00000000027F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 5428, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_00D2B049 push ebp; retf 0_2_00D2B04A
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05802E9C push esp; retf 0_2_05802EA8
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05847D31 pushfd ; iretd 0_2_05847D3E
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05847C75 pushfd ; retf 0000h 0_2_05847C7A
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05AFA9DB pushad ; iretd 0_2_05AFA9E1
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B0C48D pushfd ; iretd 0_2_05B0C48E
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05B11CD0 push eax; ret 0_2_05B11CD1
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Code function: 0_2_05C935B4 push ebx; retf 0_2_05C935BA
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EE7D31 pushfd ; iretd 10_2_05EE7D3E
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_05EE7C75 pushfd ; retf 0000h 10_2_05EE7C7A
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06196D87 push es; ret 10_2_06196D90
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_06199867 push es; retf 10_2_06199868
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_0619A9DA pushad ; iretd 10_2_0619A9E1
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061A04F1 push es; iretd 10_2_061A04F8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061A217A push es; retf 10_2_061A2180
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_061B1CD0 push eax; ret 10_2_061B1CD1
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 10_2_063335B4 push ebx; retf 10_2_063335BA
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DA2EA7 push esp; retf 13_2_05DA2EA8
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DE8131 pushfd ; iretd 13_2_05DE813E
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05DE8071 pushfd ; retf 0000h 13_2_05DE807A
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F5A9DB pushad ; iretd 13_2_05F5A9E1
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F67107 push ebx; ret 13_2_05F6710A
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F71CD0 push eax; ret 13_2_05F71CD1
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F7F0E5 push 8B0381FDh; retf 13_2_05F7F0EA
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_05F7F252 push 8B0381FDh; retf 13_2_05F7F257
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Code function: 13_2_062335B4 push ebx; retf 13_2_062335BA
Drops PE files
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe File created: C:\Users\user\AppData\Roaming\Iujcy.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Iujcy Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Iujcy Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 5428, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1290774383.00000000025E7000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000A.00000002.1409827566.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1515623045.00000000027F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory allocated: D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory allocated: 25A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory allocated: 24D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2AA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory allocated: F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory allocated: 2D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory allocated: 2B90000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3110000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 5110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory allocated: DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory allocated: 27B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2DF0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4FB0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598276 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598170 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597998 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597404 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597187 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Window / User API: threadDelayed 912 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Window / User API: threadDelayed 3044 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 1200 Thread sleep count: 912 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 1200 Thread sleep count: 3044 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599452s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -598797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -598276s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -598170s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -597998s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -597404s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -597296s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe TID: 6964 Thread sleep time: -597187s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598276 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 598170 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597998 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597404 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Thread delayed: delay time: 597187 Jump to behavior
Source: InstallUtil.exe, 0000000B.00000002.1531285467.0000000005E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllorMo
Source: Iujcy.exe, 0000000D.00000002.1515623045.00000000027F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Iujcy.exe, 0000000A.00000002.1407153584.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: Iujcy.exe, 0000000D.00000002.1515623045.00000000027F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe, 00000000.00000002.1289616229.0000000000712000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllndpo
Source: InstallUtil.exe, 00000008.00000002.1427373043.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, Iujcy.exe, 0000000D.00000002.1510237810.0000000000909000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 0000000E.00000002.2513071410.0000000006270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 8C1008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10A4008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C09008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Queries volume information: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Queries volume information: C:\Users\user\AppData\Roaming\Iujcy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Queries volume information: C:\Users\user\AppData\Roaming\Iujcy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Iujcy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 13.2.Iujcy.exe.3910328.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Iujcy.exe.3ee4480.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Iujcy.exe.3910328.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Iujcy.exe.3ee4480.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.35a9550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1406060277.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1516278275.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1544555962.00000000038FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2503048867.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290774383.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1516278275.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1441897050.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1413730064.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1413730064.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1441897050.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1409827566.0000000003196000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2503048867.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1544555962.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1515623045.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7216, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 13.2.Iujcy.exe.3910328.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Iujcy.exe.3ee4480.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Iujcy.exe.3910328.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Iujcy.exe.3ee4480.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.35a9550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1406060277.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1544555962.00000000038FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290774383.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1516278275.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1441897050.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1413730064.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1441897050.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1409827566.0000000003196000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1544555962.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1515623045.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7216, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 13.2.Iujcy.exe.3910328.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Iujcy.exe.3ee4480.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Iujcy.exe.3910328.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Iujcy.exe.3ee4480.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.3665c40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.36b5c60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe.35a9550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1406060277.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1516278275.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1544555962.00000000038FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2503048867.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290774383.00000000029BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1516278275.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1441897050.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1413730064.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1413730064.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1441897050.0000000003EE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1409827566.0000000003196000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2503048867.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1544555962.00000000039AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1515623045.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1311519040.00000000035A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 8044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 8116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Iujcy.exe PID: 5428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7216, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525500 Sample: PO_7862679238279-GITTERSTAR... Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 30 ftp.alternatifplastik.com 2->30 32 wymascensores.com 2->32 46 Multi AV Scanner detection for domain / URL 2->46 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 12 other signatures 2->52 7 PO_7862679238279-GITTERSTAR-UUE-EUROPE-UUE.exe 16 4 2->7         started        12 Iujcy.exe 14 2 2->12         started        14 Iujcy.exe 2 2->14         started        signatures3 process4 dnsIp5 34 wymascensores.com 67.212.175.162, 443, 49699, 49718 SINGLEHOP-LLCUS United States 7->34 24 C:\Users\user\AppData\Roaming\Iujcy.exe, PE32 7->24 dropped 26 C:\Users\user\...\Iujcy.exe:Zone.Identifier, ASCII 7->26 dropped 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->54 56 Writes to foreign memory regions 7->56 58 Injects a PE file into a foreign processes 7->58 16 InstallUtil.exe 14 2 7->16         started        60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Allocates memory in foreign processes 12->66 20 InstallUtil.exe 2 12->20         started        22 InstallUtil.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 ftp.alternatifplastik.com 5.2.84.236, 21, 49700, 49701 ALASTYRTR Turkey 16->28 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->36 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->38 40 Tries to steal Mail credentials (via file / registry access) 22->40 42 Tries to harvest and steal ftp login credentials 22->42 44 Tries to harvest and steal browser information (history, passwords, etc) 22->44 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.212.175.162
 wymascensores.com United States
32475 SINGLEHOP-LLCUS false
5.2.84.236
 ftp.alternatifplastik.com Turkey
3188 ALASTYRTR true

Contacted Domains

Name IP Active
wymascensores.com 67.212.175.162 true
ftp.alternatifplastik.com 5.2.84.236 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://wymascensores.com/ozeli/Xibknlpkg.vdf true unknown