Windows Analysis Report
3u8A2xjbBT.exe

Overview

General Information

Sample name: 3u8A2xjbBT.exe
renamed because original name is a hash value
Original sample name: 8391d3b5332c4b1164333ddce388a8c7.exe
Analysis ID: 1545318
MD5: 8391d3b5332c4b1164333ddce388a8c7
SHA1: b982fc92ed38565debf033b0ffaa2181a8caa5e7
SHA256: e201e9a5c9fd3a68f54e2ada061a242df3ed813e56d2b09e2c8efc04953c2f72
Tags: 32exetrojan
Infos:

Detection

LiteHTTP Bot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LiteHTTP Bot
.NET source code contains potential unpacker
AI detected suspicious sample
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 3u8A2xjbBT.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\OneDrive\msbuild.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\mozilla maintenance service.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\jdownloader.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\msecache.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\google.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\windows mail.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\common files.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\java.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\windows defender.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\microsoft.net.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\microsoft.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\reference assemblies.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\microsoft office.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\internet explorer.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Source: C:\Users\user\OneDrive\autoit3.exe Avira: detection malicious, Label: DR/AVI.Agent.mrstb
Multi AV Scanner detection for dropped file
Source: C:\Users\user\OneDrive\autoit3.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\common files.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\google.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\internet explorer.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\java.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\jdownloader.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\microsoft office.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\microsoft.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\microsoft.net.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\mozilla maintenance service.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\msbuild.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\msecache.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\reference assemblies.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows defender.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows mail.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows media player.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows multimedia platform.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows nt.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows photo viewer.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows portable devices.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windows sidebar.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\OneDrive\windowspowershell.exe ReversingLabs: Detection: 67%
Multi AV Scanner detection for submitted file
Source: 3u8A2xjbBT.exe ReversingLabs: Detection: 67%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\OneDrive\msbuild.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\mozilla maintenance service.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\jdownloader.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\msecache.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\google.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\windows mail.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\common files.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\java.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\windows defender.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\microsoft.net.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\microsoft.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\reference assemblies.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\microsoft office.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\internet explorer.exe Joe Sandbox ML: detected
Source: C:\Users\user\OneDrive\autoit3.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 3u8A2xjbBT.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Found strings related to Crypto-Mining
Source: 3u8A2xjbBT.exe, 00000000.00000002.3711597312.00000000033B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: CryptoNight
Uses 32bit PE files
Source: 3u8A2xjbBT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3u8A2xjbBT.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0166ADF4
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0166AE00
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 15_2_02A1AE00
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 15_2_02A1ADF4
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 16_2_0182ADF4
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 16_2_0182AE00

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49982 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49985 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49994 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49988 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49992 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49989 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49978 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49990 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49979 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49984 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49975 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49991 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49980 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49998 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49976 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49986 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49989 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49979 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49989 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49979 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49976 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49986 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49976 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49992 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49992 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49987 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49984 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49980 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49987 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49987 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49985 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49991 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49980 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49985 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49998 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49986 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49994 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49984 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49982 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49994 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49982 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49998 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49988 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49990 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49990 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49978 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:50000 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49978 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:50000 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49975 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49988 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49991 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:50000 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49999 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49975 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49981 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49981 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49996 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49981 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49993 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49977 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49996 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49996 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49997 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49993 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49977 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49977 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49993 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49999 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49999 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49983 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49983 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49983 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2830238 - Severity 1 - ETPRO MALWARE Observed LiteHTTP Bot Default User-Agent : 192.168.2.7:49995 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49997 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49997 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2819705 - Severity 1 - ETPRO MALWARE MSIL/LiteHTTP Bot CnC Checkin : 192.168.2.7:49995 -> 87.120.126.5:80
Source: Network traffic Suricata IDS: 2829909 - Severity 1 - ETPRO MALWARE LiteHTTP Bot CnC Checkin M2 : 192.168.2.7:49995 -> 87.120.126.5:80
Yara detected Generic Downloader
Source: Yara match File source: 3u8A2xjbBT.exe, type: SAMPLE
Source: Yara match File source: C:\Users\user\OneDrive\microsoft.net.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows nt.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\java.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windowspowershell.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\google.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows portable devices.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows media player.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\mozilla maintenance service.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\autoit3.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows defender.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows mail.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows sidebar.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows photo viewer.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\microsoft.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\windows multimedia platform.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\internet explorer.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\common files.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\jdownloader.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\reference assemblies.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\msecache.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\microsoft office.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\OneDrive\msbuild.exe, type: DROPPED
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.126.5
Source: unknown HTTP traffic detected: POST /VmCetSC7/page.php HTTP/1.1User-Agent: E9BC3BD76216AFA560BFB5ACAF5731A3Content-Type: application/x-www-form-urlencodedHost: 87.120.126.5Content-Length: 471Expect: 100-continueConnection: Keep-Alive
Source: 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003638000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003524000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.00000000034DB000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003660000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003554000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003688000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002CF7000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.0000000003120000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.000000000316D000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.0000000003132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.126.5
Source: 3u8A2xjbBT.exe, 00000000.00000002.3711597312.00000000033E6000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.0000000003037000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.126.5/VmCetSC7/page.php
Source: 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003638000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003524000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003660000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.000000000347E000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003554000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000000.00000002.3711597312.0000000003688000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.000000000316D000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.0000000003089000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.0000000003132000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.120.126.5/VmCetSC7/page.phpP
Source: 3u8A2xjbBT.exe, 0000000F.00000002.3716378962.000000000A222000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.120.126.5/VmCetSC7/page.phpy
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: autoit3.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 3u8A2xjbBT.exe, 00000000.00000002.3711597312.000000000347E000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3711404452.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3711218629.0000000003089000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3u8A2xjbBT.exe, msbuild.exe.0.dr, mozilla maintenance service.exe.0.dr, windows photo viewer.exe.0.dr, uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe.0.dr, windowspowershell.exe.0.dr, windows media player.exe.0.dr, jdownloader.exe.0.dr, windows portable devices.exe.0.dr, msecache.exe.0.dr, google.exe.0.dr, windows mail.exe.0.dr, common files.exe.0.dr, java.exe.0.dr, windows defender.exe.0.dr, windows sidebar.exe.0.dr, microsoft.net.exe.0.dr, windows multimedia platform.exe.0.dr, windows nt.exe.0.dr, microsoft.exe.0.dr, reference assemblies.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01660848 0_2_01660848
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166D020 0_2_0166D020
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01662308 0_2_01662308
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166ED78 0_2_0166ED78
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01669F88 0_2_01669F88
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166862C 0_2_0166862C
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166360A 0_2_0166360A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_016616A6 0_2_016616A6
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166894A 0_2_0166894A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_016649E8 0_2_016649E8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166987C 0_2_0166987C
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01666848 0_2_01666848
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166082F 0_2_0166082F
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01666838 0_2_01666838
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166D010 0_2_0166D010
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_016698A8 0_2_016698A8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166A3A2 0_2_0166A3A2
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01666A69 0_2_01666A69
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01666A78 0_2_01666A78
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01666251 0_2_01666251
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_016622C0 0_2_016622C0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_016665F9 0_2_016665F9
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01665421 0_2_01665421
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01665430 0_2_01665430
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01665F60 0_2_01665F60
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01669F79 0_2_01669F79
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01665F50 0_2_01665F50
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166C7F6 0_2_0166C7F6
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01666608 0_2_01666608
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B3768 0_2_0B6B3768
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B0BF8 0_2_0B6B0BF8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B27D0 0_2_0B6B27D0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B0260 0_2_0B6B0260
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B6220 0_2_0B6B6220
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B2D58 0_2_0B6B2D58
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B5900 0_2_0B6B5900
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B11D8 0_2_0B6B11D8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B4460 0_2_0B6B4460
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B375B 0_2_0B6B375B
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B3B51 0_2_0B6B3B51
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B3B1A 0_2_0B6B3B1A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B0BE8 0_2_0B6B0BE8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B27C0 0_2_0B6B27C0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B3BA8 0_2_0B6B3BA8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B6210 0_2_0B6B6210
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B32E8 0_2_0B6B32E8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B32D8 0_2_0B6B32D8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B06AD 0_2_0B6B06AD
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B0282 0_2_0B6B0282
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B2D49 0_2_0B6B2D49
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B5D28 0_2_0B6B5D28
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B5D13 0_2_0B6B5D13
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B11C9 0_2_0B6B11C9
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B5DB1 0_2_0B6B5DB1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B5D9C 0_2_0B6B5D9C
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B444F 0_2_0B6B444F
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0B6B58F0 0_2_0B6B58F0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEC1E8 0_2_0BBEC1E8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBE6860 0_2_0BBE6860
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEE048 0_2_0BBEE048
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEE7E8 0_2_0BBEE7E8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBED568 0_2_0BBED568
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEEB87 0_2_0BBEEB87
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBE5208 0_2_0BBE5208
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEE03E 0_2_0BBEE03E
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBE0006 0_2_0BBE0006
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBE0040 0_2_0BBE0040
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEE7D8 0_2_0BBEE7D8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEC738 0_2_0BBEC738
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBEED9D 0_2_0BBEED9D
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A12308 15_2_02A12308
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1889D 15_2_02A1889D
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1D020 15_2_02A1D020
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A10848 15_2_02A10848
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1360A 15_2_02A1360A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A11670 15_2_02A11670
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A19F88 15_2_02A19F88
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1ED78 15_2_02A1ED78
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A12260 15_2_02A12260
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A16A69 15_2_02A16A69
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A16A78 15_2_02A16A78
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A16251 15_2_02A16251
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1A3A2 15_2_02A1A3A2
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A18BB2 15_2_02A18BB2
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A198A8 15_2_02A198A8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1082E 15_2_02A1082E
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A16838 15_2_02A16838
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1D010 15_2_02A1D010
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A19865 15_2_02A19865
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A16848 15_2_02A16848
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A149E8 15_2_02A149E8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A16608 15_2_02A16608
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A1C7F6 15_2_02A1C7F6
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A15F60 15_2_02A15F60
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A19F79 15_2_02A19F79
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A15F50 15_2_02A15F50
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A15421 15_2_02A15421
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A15430 15_2_02A15430
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A165F9 15_2_02A165F9
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530D568 15_2_0530D568
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530ED90 15_2_0530ED90
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530C738 15_2_0530C738
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530F760 15_2_0530F760
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530E7F9 15_2_0530E7F9
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530C1E8 15_2_0530C1E8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05306860 15_2_05306860
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530E048 15_2_0530E048
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05308A13 15_2_05308A13
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05308D24 15_2_05308D24
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05308D0F 15_2_05308D0F
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05308DAE 15_2_05308DAE
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05308D99 15_2_05308D99
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530ED82 15_2_0530ED82
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05308C23 15_2_05308C23
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530F750 15_2_0530F750
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530E037 15_2_0530E037
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05300040 15_2_05300040
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530FB12 15_2_0530FB12
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530FB49 15_2_0530FB49
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530FBA0 15_2_0530FBA0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05305208 15_2_05305208
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530F2E0 15_2_0530F2E0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0530F2D0 15_2_0530F2D0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05833DA8 15_2_05833DA8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_058318A8 15_2_058318A8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05833410 15_2_05833410
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05834788 15_2_05834788
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05831FD8 15_2_05831FD8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0583258D 15_2_0583258D
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05833D98 15_2_05833D98
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05831898 15_2_05831898
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05831424 15_2_05831424
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05833432 15_2_05833432
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05831439 15_2_05831439
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0583385D 15_2_0583385D
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05830F88 15_2_05830F88
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_0583139B 15_2_0583139B
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_058313B0 15_2_058313B0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05831FCA 15_2_05831FCA
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05832377 15_2_05832377
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05830F78 15_2_05830F78
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05834778 15_2_05834778
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_018288A1 16_2_018288A1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182D020 16_2_0182D020
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01820848 16_2_01820848
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01822308 16_2_01822308
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182DA40 16_2_0182DA40
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01829F88 16_2_01829F88
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182360A 16_2_0182360A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01821670 16_2_01821670
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_018249E8 16_2_018249E8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_018298A8 16_2_018298A8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182082F 16_2_0182082F
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01826838 16_2_01826838
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01826848 16_2_01826848
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01829854 16_2_01829854
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182A3A2 16_2_0182A3A2
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01828BB2 16_2_01828BB2
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01826251 16_2_01826251
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01822260 16_2_01822260
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01826A69 16_2_01826A69
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01826A78 16_2_01826A78
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182CD98 16_2_0182CD98
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_018265F9 16_2_018265F9
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01825421 16_2_01825421
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01825430 16_2_01825430
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182CFD0 16_2_0182CFD0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0182C7F6 16_2_0182C7F6
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01825F50 16_2_01825F50
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01825F60 16_2_01825F60
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01829F79 16_2_01829F79
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01826608 16_2_01826608
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059AC1C0 16_2_059AC1C0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059A6FF8 16_2_059A6FF8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059A6FE9 16_2_059A6FE9
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059ADE80 16_2_059ADE80
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059AD190 16_2_059AD190
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059AD1A0 16_2_059AD1A0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059A6847 16_2_059A6847
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D31D40 16_2_05D31D40
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D32470 16_2_05D32470
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D31420 16_2_05D31420
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D34C20 16_2_05D34C20
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D353B4 16_2_05D353B4
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D34240 16_2_05D34240
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D31D30 16_2_05D31D30
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D318D1 16_2_05D318D1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D338CA 16_2_05D338CA
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D358B4 16_2_05D358B4
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D318BC 16_2_05D318BC
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D31848 16_2_05D31848
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D32460 16_2_05D32460
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D34C11 16_2_05D34C11
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D31410 16_2_05D31410
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D3280F 16_2_05D3280F
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D31833 16_2_05D31833
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D34230 16_2_05D34230
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_05D32A25 16_2_05D32A25
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A494B78 16_2_0A494B78
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49FB00 16_2_0A49FB00
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A493D48 16_2_0A493D48
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49E3F0 16_2_0A49E3F0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A4937F8 16_2_0A4937F8
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49FAF0 16_2_0A49FAF0
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49E940 16_2_0A49E940
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49E930 16_2_0A49E930
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49E3DF 16_2_0A49E3DF
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49E3A0 16_2_0A49E3A0
PE / OLE file has an invalid certificate
Source: 3u8A2xjbBT.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: 3u8A2xjbBT.exe, 00000000.00000000.1254425565.0000000000F82000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAnubis.exe> vs 3u8A2xjbBT.exe
Source: 3u8A2xjbBT.exe, 00000000.00000002.3710064092.000000000167E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 3u8A2xjbBT.exe
Source: 3u8A2xjbBT.exe, 00000000.00000002.3717623795.000000000C120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAnubis.exe> vs 3u8A2xjbBT.exe
Source: 3u8A2xjbBT.exe, 0000000F.00000002.3716378962.000000000A2AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAnubis.exe> vs 3u8A2xjbBT.exe
Source: 3u8A2xjbBT.exe Binary or memory string: OriginalFilenameAnubis.exe> vs 3u8A2xjbBT.exe
Uses 32bit PE files
Source: 3u8A2xjbBT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3u8A2xjbBT.exe, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: windows multimedia platform.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: windows nt.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: windows photo viewer.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: windows portable devices.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: windows sidebar.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: autoit3.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: windowspowershell.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: common files.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: google.exe.0.dr, -----------------------------------------.cs Cryptographic APIs: 'CreateDecryptor'
Source: windows nt.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: windows nt.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: common files.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: common files.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: windows multimedia platform.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: windows multimedia platform.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: windows portable devices.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: windows portable devices.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: windows sidebar.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: windows sidebar.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: windowspowershell.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: windowspowershell.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3u8A2xjbBT.exe, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3u8A2xjbBT.exe, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: autoit3.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: autoit3.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: windows photo viewer.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: windows photo viewer.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: google.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: google.exe.0.dr, --c4X9AJE02-i---a--F--o8E.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.mine.winEXE@72/47@0/1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3u8A2xjbBT.lnk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_03
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1964:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2092:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03
Source: 3u8A2xjbBT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 3u8A2xjbBT.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 3u8A2xjbBT.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File read: C:\Users\user\Desktop\3u8A2xjbBT.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\3u8A2xjbBT.exe "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "3u8A2xjbBT" /tr "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\3u8A2xjbBT.exe C:\Users\user\Desktop\3u8A2xjbBT.exe
Source: unknown Process created: C:\Users\user\Desktop\3u8A2xjbBT.exe "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Windows\SysWOW64\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "3u8A2xjbBT" /tr "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: amsi.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: userenv.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: sxs.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: propsys.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rasman.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe Section loaded: fsutilext.dll
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: 3u8A2xjbBT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 3u8A2xjbBT.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 3u8A2xjbBT.exe, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: windows multimedia platform.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: windows nt.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: windows photo viewer.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: windows portable devices.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: windows sidebar.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: autoit3.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: windowspowershell.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: common files.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Source: google.exe.0.dr, -Module-.cs .Net Code: _206A_200E_206C_206E_202D_206D_200C_202E_200E_206D_202E_200D_202D_200E_206E_200D_206E_206A_200F_206A_200B_200B_202B_206F_202E_200E_202D_200B_202A_206A_206B_206D_200D_200B_202C_206F_200F_206B_202E_200E_202E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01662158 pushad ; iretd 0_2_01662159
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166B1FD push esp; retf 0_2_0166B1D3
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166B1C5 push esp; retf 0_2_0166B1D3
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0166ABAE push ebx; iretd 0_2_0166ABAF
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01664453 push ebp; retf 0_2_01664454
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01660F29 push es; iretd 0_2_01660F2A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_01660F33 push es; iretd 0_2_01660F34
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 0_2_0BBE6364 pushad ; retf 0_2_0BBE63B9
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A12158 pushad ; iretd 15_2_02A12159
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A10F29 push es; iretd 15_2_02A10F2A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A10F33 push es; iretd 15_2_02A10F34
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_02A14453 push ebp; retf 15_2_02A14454
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01822158 pushad ; iretd 16_2_01822159
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01824453 push ebp; retf 16_2_01824454
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01820F29 push es; iretd 16_2_01820F2A
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_01820F33 push es; iretd 16_2_01820F34
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_059AC941 push 9C059093h; ret 16_2_059AC94D
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49AB57 push E802005Eh; retf 16_2_0A49AB61
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A49C954 push 850FD83Bh; ret 16_2_0A49C959
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A490FFA push 7000005Eh; ret 16_2_0A491001
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A4910A2 push 1800005Eh; retf 16_2_0A4910B1
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 16_2_0A4910B2 push esp; iretd 16_2_0A491101

Persistence and Installation Behavior
barindex
Uses attrib.exe to hide files
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Uses cmd line tools excessively to alter registry or file data
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: attrib.exe
Drops PE files
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\microsoft office.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows multimedia platform.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows nt.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\mozilla maintenance service.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows mail.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\uyihfjjsbovlcbxlcojsmqtzznevrdoctnxfvfrajmemtqlbiqoohtfay.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows sidebar.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows media player.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\autoit3.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windowspowershell.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\common files.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\google.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\internet explorer.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\msecache.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\reference assemblies.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows photo viewer.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\microsoft.net.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\microsoft.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows defender.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\jdownloader.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\windows portable devices.exe Jump to dropped file
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\OneDrive\msbuild.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT"
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3u8A2xjbBT.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3u8A2xjbBT.lnk Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 4704, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 1620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 33A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 32C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 5940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 6940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 6A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 7A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 7E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 8E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 9E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 2930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 2C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 2930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 5160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 6160000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 6290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 7290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 75E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 85E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 1820000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 3030000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 5030000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 57B0000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 67B0000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 68E0000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 78E0000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 7C70000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: 8C70000 memory reserve | memory write watch
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Code function: 15_2_05832D40 sldt word ptr [eax] 15_2_05832D40
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Window / User API: threadDelayed 2839 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Window / User API: threadDelayed 6938 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Window / User API: threadDelayed 7034 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Window / User API: threadDelayed 2753 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Window / User API: threadDelayed 4397
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Window / User API: threadDelayed 5383
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -39830s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6356 Thread sleep count: 2839 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -39705s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -39580s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6356 Thread sleep count: 6938 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -39455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -39330s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -39205s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -39094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -38984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -38846s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -38734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -38512s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -38392s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -38145s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -37689s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -37392s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36873s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36767s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36642s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36517s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36392s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36267s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36142s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -36017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35892s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35767s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35642s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35517s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35392s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35267s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35142s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -35017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -34892s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -34752s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -34627s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -34455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -34300s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -33731s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -33622s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -33514s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -33406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -33299s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -33174s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -33049s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32924s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32799s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32674s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32549s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32424s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32299s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32174s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -32049s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -31924s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -31799s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 4732 Thread sleep time: -31674s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -39830s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -39705s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 5404 Thread sleep count: 7034 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -39580s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 5404 Thread sleep count: 2753 > 30 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -39455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -39330s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -39205s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -39080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38955s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38830s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38705s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38580s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38330s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38205s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -38080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -37152s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -36833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -36705s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -36580s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -36455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -36330s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -36205s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -36080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35955s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35830s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35705s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35580s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35330s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35205s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -35080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -34955s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -34830s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -34705s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -34580s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -34398s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -34276s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -34081s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -33686s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -33361s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -33235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -33098s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32942s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32814s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32689s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32564s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32439s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32314s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32189s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -32064s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -31939s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 2412 Thread sleep time: -31814s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep count: 36 > 30
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -39830s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -39705s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 576 Thread sleep count: 4397 > 30
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 576 Thread sleep count: 5383 > 30
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -39580s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -39455s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -39330s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -39205s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -39080s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38955s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38830s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38705s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38580s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38455s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38330s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38205s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -38080s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -37908s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -37782s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -37663s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -37449s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -37283s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -37156s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -36779s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -36533s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -36339s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -36228s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -36111s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35986s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35861s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35721s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35596s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35471s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35346s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35221s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -35096s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34971s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34846s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34721s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34596s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34471s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34346s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34221s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -34096s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33971s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33833s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33668s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33506s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33388s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33281s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33173s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -33033s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -32908s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -32783s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -32658s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -32533s >= -30000s
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe TID: 6136 Thread sleep time: -32408s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39830 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39705 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39580 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39455 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39330 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39205 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39094 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38984 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38846 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38734 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38512 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38392 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38145 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37689 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37392 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36984 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36873 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36767 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36642 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36517 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36392 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36267 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36142 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36017 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35892 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35767 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35642 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35517 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35392 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35267 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35142 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35017 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34892 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34752 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34627 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34455 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34300 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33731 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33622 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33514 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33406 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33299 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33174 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33049 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32924 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32799 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32674 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32549 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32424 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32299 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32174 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32049 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 31924 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 31799 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 31674 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39830 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39705 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39580 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39455 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39330 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39205 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39080 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38955 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38830 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38705 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38580 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38455 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38330 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38205 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38080 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37152 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36833 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36705 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36580 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36455 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36330 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36205 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36080 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35955 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35830 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35705 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35580 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35455 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35330 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35205 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35080 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34955 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34830 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34705 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34580 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34398 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34276 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34081 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33686 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33361 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33235 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33098 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32942 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32814 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32689 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32564 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32439 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32314 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32189 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32064 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 31939 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 31814 Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39830
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39705
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39580
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39455
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39330
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39205
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 39080
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38955
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38830
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38705
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38580
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38455
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38330
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38205
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 38080
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37908
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37782
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37663
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37449
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37283
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 37156
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36779
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36533
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36339
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36228
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 36111
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35986
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35861
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35721
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35596
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35471
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35346
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35221
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 35096
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34971
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34846
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34721
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34596
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34471
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34346
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34221
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 34096
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33971
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33833
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33668
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33506
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33388
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33281
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33173
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 33033
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32908
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32783
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32658
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32533
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Thread delayed: delay time: 32408
Source: 3u8A2xjbBT.exe, 00000000.00000002.3716578123.000000000BA67000.00000004.00000020.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 0000000F.00000002.3716378962.000000000A222000.00000004.00000020.00020000.00000000.sdmp, 3u8A2xjbBT.exe, 00000010.00000002.3715570746.000000000A86C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "3u8A2xjbBT" /tr "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe" Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /Query /TN "3u8A2xjbBT"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: C:\Windows\SysWOW64\attrib.exe "attrib.exe" +h +s "C:\Users\user\Desktop\3u8A2xjbBT.exe"
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Process created: unknown unknown
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Users\user\Desktop\3u8A2xjbBT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Users\user\Desktop\3u8A2xjbBT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Users\user\Desktop\3u8A2xjbBT.exe VolumeInformation
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\3u8A2xjbBT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LiteHTTP Bot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 16.2.3u8A2xjbBT.exe.3039c04.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3711597312.0000000003524000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003638000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003536000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.0000000003132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.0000000003037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.000000000347E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.0000000003089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.000000000316D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003554000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 4704, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LiteHTTP Bot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 16.2.3u8A2xjbBT.exe.3039c04.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3711597312.0000000003524000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003638000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003536000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003688000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.00000000034F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.0000000003132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.0000000003037000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.000000000347E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.0000000003089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.3711218629.000000000316D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3711597312.0000000003554000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3711404452.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 2908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 3u8A2xjbBT.exe PID: 4704, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545318 Sample: 3u8A2xjbBT.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 62 Suricata IDS alerts for network traffic 2->62 64 Antivirus detection for dropped file 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 9 other signatures 2->68 7 3u8A2xjbBT.exe 15 905 2->7         started        12 3u8A2xjbBT.exe 2->12         started        14 3u8A2xjbBT.exe 188 2->14         started        process3 dnsIp4 60 87.120.126.5, 49975, 49976, 49977 UNACS-AS-BG8000BurgasBG Bulgaria 7->60 52 C:\Users\user\...\windowspowershell.exe, PE32 7->52 dropped 54 C:\Users\user\OneDrive\windows sidebar.exe, PE32 7->54 dropped 56 C:\Users\...\windows portable devices.exe, PE32 7->56 dropped 58 36 other malicious files 7->58 dropped 70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->70 72 Found strings related to Crypto-Mining 7->72 74 Uses cmd line tools excessively to alter registry or file data 7->74 76 2 other signatures 7->76 16 schtasks.exe 1 7->16         started        18 schtasks.exe 1 7->18         started        20 attrib.exe 7->20         started        30 9 other processes 7->30 22 schtasks.exe 12->22         started        32 7 other processes 12->32 24 schtasks.exe 14->24         started        26 attrib.exe 14->26         started        28 attrib.exe 14->28         started        file5 signatures6 process7 process8 34 conhost.exe 16->34         started        36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        40 conhost.exe 22->40         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 9 other processes 30->48 50 7 other processes 32->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.126.5
 unknown Bulgaria
25206 UNACS-AS-BG8000BurgasBG true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://87.120.126.5/VmCetSC7/page.php true
    		unknown