Windows Analysis Report
Richardson Electronics, LTD. PRD10221301UUE.exe

Overview

General Information

Sample name: Richardson Electronics, LTD. PRD10221301UUE.exe
Analysis ID: 1520579
MD5: a93062ea78a516e011dfd18d4c462c87
SHA1: 3ce876b96600c4d0252c73fa97c4ed0764b29503
SHA256: 3b799063aa6a0a79e4a160b4650dc3199ebe128d1a183de4591e03a0b29674f1
Tags: exeuser-lowmal3
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.alternatifplastik.com", "Username": "fgghv@alternatifplastik.com", "Password": "Fineboy777@"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe ReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: Richardson Electronics, LTD. PRD10221301UUE.exe ReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.000000000303D000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202771883.00000000062B0000.00000004.08000000.00040000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.0000000002739000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2362069803.0000000003547000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2449682974.0000000003847000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.00000000029D7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.000000000303D000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202771883.00000000062B0000.00000004.08000000.00040000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.0000000002739000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2362069803.0000000003547000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2449682974.0000000003847000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.00000000029D7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060B5483h 0_2_060B5280
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060B5483h 0_2_060B5290
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060B4EF7h 0_2_060B4B40
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060B4EF7h 0_2_060B4B50
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060BC6A8h 0_2_060BC5E9
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060BC6A8h 0_2_060BC5F0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060D1C52h 0_2_060D1D0B
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060D1C52h 0_2_060D1B28
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then jmp 060D1C52h 0_2_060D1B38
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_060D0B98
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_060D0BA0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_062AD710
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A3C6A8h 3_2_05A3C5E9
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A3C6A8h 3_2_05A3C5F0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A34EF7h 3_2_05A34B40
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A34EF7h 3_2_05A34B50
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A35483h 3_2_05A35280
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A35483h 3_2_05A35290
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A51C52h 3_2_05A51D0B
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05A50CB7
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05A50BA0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05A50B98
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A51C52h 3_2_05A51B28
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05A51C52h 3_2_05A51B38
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_05C2D710
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B2C6A8h 8_2_05B2C5F0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B2C6A8h 8_2_05B2C5E9
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B24EF7h 8_2_05B24B50
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B24EF7h 8_2_05B24B40
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B25483h 8_2_05B25290
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B25483h 8_2_05B25280
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B41C52h 8_2_05B41D0B
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 8_2_05B40CB7
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 8_2_05B40BA0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 8_2_05B40B98
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B41C52h 8_2_05B41B38
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then jmp 05B41C52h 8_2_05B41B28
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 8_2_05D1D710

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.6:49713 -> 5.2.84.236:60306
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.6:49712 -> 5.2.84.236:21
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.6:49719 -> 5.2.84.236:21
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.6:49722 -> 5.2.84.236:60969
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.6:49726 -> 5.2.84.236:49791
Source: Network traffic Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.6:49725 -> 5.2.84.236:21
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 67.212.175.162:443 -> 192.168.2.6:49710
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 67.212.175.162:443 -> 192.168.2.6:49710
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 67.212.175.162:443 -> 192.168.2.6:49715
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 67.212.175.162:443 -> 192.168.2.6:49715
Source: Network traffic Suricata IDS: 2017962 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download disguised as ASCII : 67.212.175.162:443 -> 192.168.2.6:49724
Source: Network traffic Suricata IDS: 2022640 - Severity 1 - ET MALWARE PE EXE or DLL Windows file download Text M2 : 67.212.175.162:443 -> 192.168.2.6:49724
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 5.2.84.236 ports 60969,60306,1,2,49791,21
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49713 -> 5.2.84.236:60306
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /john/Teoecc.wav HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /john/Teoecc.wav HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /john/Teoecc.wav HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 67.212.175.162 67.212.175.162
Source: Joe Sandbox View IP Address: 5.2.84.236 5.2.84.236
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: Joe Sandbox View ASN Name: ALASTYRTR ALASTYRTR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses FTP
Source: unknown FTP traffic detected: 5.2.84.236:21 -> 192.168.2.6:49712 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 100 allowed.220-Local time is now 17:01. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 100 allowed.220-Local time is now 17:01. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 100 allowed.220-Local time is now 17:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 100 allowed.220-Local time is now 17:01. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 10 minutes of inactivity.
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /john/Teoecc.wav HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /john/Teoecc.wav HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /john/Teoecc.wav HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: wymascensores.com
Source: global traffic DNS traffic detected: DNS query: ftp.alternatifplastik.com
Source: InstallUtil.exe, 00000002.00000002.2330100397.0000000002B6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2330100397.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2418121035.000000000289E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2418121035.00000000028AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.3390128191.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.3390128191.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.alternatifplastik.com
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2330100397.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2418121035.000000000289E000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.3390128191.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003E0F000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2322422336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2362069803.000000000361D000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2449682974.000000000391B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2362069803.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2449682974.00000000041F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.0000000002851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.00000000027AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.00000000027A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com/john/Teoecc.wav
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, Eggdjjrhey.exe.0.dr String found in binary or memory: https://wymascensores.com/john/Teoecc.wav%Buffer
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.6:49724 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, SKTzxzsJw.cs .Net Code: RePIUNFdBeM

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BDAD0 NtProtectVirtualMemory, 0_2_060BDAD0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BF004 NtResumeThread, 0_2_060BF004
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BDAC8 NtProtectVirtualMemory, 0_2_060BDAC8
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BEFF8 NtResumeThread, 0_2_060BEFF8
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BF014 NtResumeThread, 0_2_060BF014
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A3F000 NtResumeThread, 3_2_05A3F000
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A3DAD0 NtProtectVirtualMemory, 3_2_05A3DAD0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A3EFF8 NtResumeThread, 3_2_05A3EFF8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A3DAC8 NtProtectVirtualMemory, 3_2_05A3DAC8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B2F000 NtResumeThread, 8_2_05B2F000
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B2DAD0 NtProtectVirtualMemory, 8_2_05B2DAD0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B2EFF8 NtResumeThread, 8_2_05B2EFF8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B2DAC8 NtProtectVirtualMemory, 8_2_05B2DAC8
Detected potential crypto function
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_012CAA28 0_2_012CAA28
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_012C67C9 0_2_012C67C9
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_012C67D8 0_2_012C67D8
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_012C7268 0_2_012C7268
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_012C7278 0_2_012C7278
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060617A0 0_2_060617A0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_06061AD7 0_2_06061AD7
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060629B8 0_2_060629B8
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B1A78 0_2_060B1A78
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B6F00 0_2_060B6F00
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BAD68 0_2_060BAD68
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B6EF2 0_2_060B6EF2
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B84A8 0_2_060B84A8
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B84A6 0_2_060B84A6
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BAD66 0_2_060BAD66
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D35A1 0_2_060D35A1
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060DE774 0_2_060DE774
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D1D0B 0_2_060D1D0B
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D1500 0_2_060D1500
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D7A1B 0_2_060D7A1B
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D7A28 0_2_060D7A28
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D1B28 0_2_060D1B28
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D1B38 0_2_060D1B38
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060DE391 0_2_060DE391
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060DE3A0 0_2_060DE3A0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D308D 0_2_060D308D
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060DE928 0_2_060DE928
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060DE938 0_2_060DE938
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F5B78 0_2_060F5B78
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F689B 0_2_060F689B
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060FF6E8 0_2_060FF6E8
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F5B69 0_2_060F5B69
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F53B1 0_2_060F53B1
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F53C0 0_2_060F53C0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F5C6C 0_2_060F5C6C
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060FB8BE 0_2_060FB8BE
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F6DFF 0_2_060F6DFF
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_062AEE50 0_2_062AEE50
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_062A0006 0_2_062A0006
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_062A0040 0_2_062A0040
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_0652D2D0 0_2_0652D2D0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_0652CF20 0_2_0652CF20
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_06510040 0_2_06510040
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_06510006 0_2_06510006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00E24A60 2_2_00E24A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00E29C63 2_2_00E29C63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00E23E48 2_2_00E23E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00E2CF28 2_2_00E2CF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_00E24190 2_2_00E24190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_061356B0 2_2_061356B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06130040 2_2_06130040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06133F28 2_2_06133F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0613BCC8 2_2_0613BCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06132AE8 2_2_06132AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06138B5B 2_2_06138B5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0613DBF8 2_2_0613DBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0613321B 2_2_0613321B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_06134FD0 2_2_06134FD0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_0233AA28 3_2_0233AA28
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_023367D8 3_2_023367D8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_023367C9 3_2_023367C9
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_02336FD4 3_2_02336FD4
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_02337278 3_2_02337278
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_059E4DB0 3_2_059E4DB0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_059E17A0 3_2_059E17A0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_059E29B8 3_2_059E29B8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_059E1AD7 3_2_059E1AD7
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A31990 3_2_05A31990
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A3AD68 3_2_05A3AD68
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A36F00 3_2_05A36F00
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A3AD59 3_2_05A3AD59
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A384A8 3_2_05A384A8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A38499 3_2_05A38499
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A36EF1 3_2_05A36EF1
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A535A1 3_2_05A535A1
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A5D5C9 3_2_05A5D5C9
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A5D5D8 3_2_05A5D5D8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A51D0B 3_2_05A51D0B
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A5D9BC 3_2_05A5D9BC
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A5308D 3_2_05A5308D
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A5DB80 3_2_05A5DB80
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A51B28 3_2_05A51B28
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A51B38 3_2_05A51B38
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A5DB70 3_2_05A5DB70
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A7689A 3_2_05A7689A
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A75B78 3_2_05A75B78
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A76DFF 3_2_05A76DFF
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A7B8BE 3_2_05A7B8BE
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A75C6C 3_2_05A75C6C
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A753B1 3_2_05A753B1
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A753C0 3_2_05A753C0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A75B69 3_2_05A75B69
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A7F6E8 3_2_05A7F6E8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05C20040 3_2_05C20040
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05C20021 3_2_05C20021
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05C2EE50 3_2_05C2EE50
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05E90040 3_2_05E90040
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05E9001F 3_2_05E9001F
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05EACF20 3_2_05EACF20
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05EAD2D0 3_2_05EAD2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0541BCC0 5_2_0541BCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05418B52 5_2_05418B52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0541DBF0 5_2_0541DBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_0541361B 5_2_0541361B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_054156A8 5_2_054156A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05410040 5_2_05410040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05413F20 5_2_05413F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05414FC8 5_2_05414FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 5_2_05412EE8 5_2_05412EE8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_00A7AA28 8_2_00A7AA28
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_00A767C9 8_2_00A767C9
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_00A767D8 8_2_00A767D8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_00A76FD4 8_2_00A76FD4
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_00A77278 8_2_00A77278
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05AD4DB0 8_2_05AD4DB0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05AD17A0 8_2_05AD17A0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05AD29B8 8_2_05AD29B8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05AD1AD7 8_2_05AD1AD7
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B2AD68 8_2_05B2AD68
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B21B88 8_2_05B21B88
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B26F00 8_2_05B26F00
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B2AD59 8_2_05B2AD59
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B284A6 8_2_05B284A6
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B284A8 8_2_05B284A8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B26EF2 8_2_05B26EF2
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B435A1 8_2_05B435A1
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B4D580 8_2_05B4D580
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B41D0B 8_2_05B41D0B
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B4D571 8_2_05B4D571
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B4D964 8_2_05B4D964
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B4308D 8_2_05B4308D
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B41B38 8_2_05B41B38
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B4DB28 8_2_05B4DB28
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B41B28 8_2_05B41B28
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B4DB18 8_2_05B4DB18
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B6689A 8_2_05B6689A
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B65B78 8_2_05B65B78
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B66DFF 8_2_05B66DFF
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B65C6C 8_2_05B65C6C
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B653B1 8_2_05B653B1
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B653C0 8_2_05B653C0
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B65B69 8_2_05B65B69
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B6F6E8 8_2_05B6F6E8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05D10040 8_2_05D10040
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05D10007 8_2_05D10007
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05D1EE50 8_2_05D1EE50
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05F80040 8_2_05F80040
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05F80006 8_2_05F80006
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05F9CF20 8_2_05F9CF20
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05F9D2D0 8_2_05F9D2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02E993F8 9_2_02E993F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02E94190 9_2_02E94190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02E94A60 9_2_02E94A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02E93E48 9_2_02E93E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02E9CF28 9_2_02E9CF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02E99C70 9_2_02E99C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05AB8D2D 9_2_05AB8D2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05ABBCC0 9_2_05ABBCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05ABDC00 9_2_05ABDC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05AB56A8 9_2_05AB56A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05AB3630 9_2_05AB3630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05AB0040 9_2_05AB0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05AB4FC8 9_2_05AB4FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05AB3F20 9_2_05AB3F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_05AB2EE8 9_2_05AB2EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 9_2_02E99C68 9_2_02E99C68
Sample file is different than original file name gathered from version info
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.0000000002D88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003E0F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2200865737.0000000005F10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTshrdofbi.dll" vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTshrdofbi.dll" vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTshrdofbi.dll" vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000000.2139191255.0000000000994000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVsjieqtu.exe2 vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.000000000303D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.000000000303D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVsjieqtu.exe2 vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202771883.00000000062B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2176292945.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.00000000030F3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7dfcfdf2-d881-49c9-a39e-708aca656f85.exe4 vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Richardson Electronics, LTD. PRD10221301UUE.exe
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Binary or memory string: OriginalFilenameVsjieqtu.exe2 vs Richardson Electronics, LTD. PRD10221301UUE.exe
Uses 32bit PE files
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe File created: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Richardson Electronics, LTD. PRD10221301UUE.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe File read: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe "C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe"
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe "C:\Users\user\AppData\Roaming\Eggdjjrhey.exe"
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe "C:\Users\user\AppData\Roaming\Eggdjjrhey.exe"
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Richardson Electronics, LTD. PRD10221301UUE.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.000000000303D000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202771883.00000000062B0000.00000004.08000000.00040000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.0000000002739000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2362069803.0000000003547000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2449682974.0000000003847000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.00000000029D7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.000000000303D000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202771883.00000000062B0000.00000004.08000000.00040000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.0000000002739000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2362069803.0000000003547000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2449682974.0000000003847000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.00000000029D7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2202348780.00000000061E0000.00000004.08000000.00040000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2195447093.000000000474E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, chTFiqmX7e7ryBTtveH.cs .Net Code: Type.GetTypeFromHandle(SHSWVArpMhbIMpKZQ9D.nosvkMpphr(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(SHSWVArpMhbIMpKZQ9D.nosvkMpphr(16777259)),Type.GetTypeFromHandle(SHSWVArpMhbIMpKZQ9D.nosvkMpphr(16777263))})
.NET source code contains potential unpacker
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, Evtxjrbk.cs .Net Code: LoadAssembly System.Reflection.Assembly.Load(byte[])
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, Qfwdks.cs .Net Code: Cuqrwcwcabq
Source: Eggdjjrhey.exe.0.dr, Evtxjrbk.cs .Net Code: LoadAssembly System.Reflection.Assembly.Load(byte[])
Source: Eggdjjrhey.exe.0.dr, Qfwdks.cs .Net Code: Cuqrwcwcabq
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.474ede0.8.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.474ede0.8.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.474ede0.8.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.474ede0.8.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.474ede0.8.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d99570.6.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3d49550.3.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 8.2.Eggdjjrhey.exe.40d1180.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.6170000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Eggdjjrhey.exe.3dd1180.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.4671180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2416647323.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2449682974.00000000040D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2177833444.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2202112593.0000000006170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2362069803.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2327778523.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2195447093.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Richardson Electronics, LTD. PRD10221301UUE.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 7152, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BD296 push es; iretd 0_2_060BD2CC
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B9F15 push cs; retf 0_2_060B9F16
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B8F63 pushad ; ret 0_2_060B8FF9
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060B8499 push esp; ret 0_2_060B84A5
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060BAD59 pushad ; ret 0_2_060BAD65
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060D2C4E push es; ret 0_2_060D2C64
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060DC142 push es; ret 0_2_060DC1F0
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F1F47 push es; iretd 0_2_060F2000
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F2073 push es; iretd 0_2_060F212C
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F20F3 push es; iretd 0_2_060F212C
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_060F212D push es; iretd 0_2_060F2138
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Code function: 0_2_065131F7 push cs; iretd 0_2_065131F8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_02330375 pushfd ; ret 3_2_02330401
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_059D2EA7 push esp; retf 3_2_059D2EA8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_059EDF9D push esp; ret 3_2_059EDFA1
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A38FF5 pushad ; ret 3_2_05A38FF9
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05A39F15 push cs; retf 3_2_05A39F16
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 3_2_05E931F7 push cs; iretd 3_2_05E931F8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05AC2EA7 push esp; retf 8_2_05AC2EA8
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B28499 push esp; ret 8_2_05B284A5
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B28FF5 pushad ; ret 8_2_05B28FF9
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05B29F15 push cs; retf 8_2_05B29F16
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Code function: 8_2_05F831F7 push cs; iretd 8_2_05F831F8
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.5f10000.10.raw.unpack, VrrLi8qNmMxuWnu3hJ3.cs High entropy of concatenated method names: 'MvsqlyCVSD', 'zseLtLF4wXjnYGS7A59', 'vH5DIMFS2Ult1QFsChe', 'geIg1MFycQAsgdkeMR3', 'eXL1pVF3HaSNA5mGsFo', 'ivE3ClFTRQ075xbi8Pi', 'OhmvOhFvlTUfMqRwJTb', 'UkpxOOFAQNprepksP54'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.5f10000.10.raw.unpack, gBtcIR8RcjgM3DoqN8n.cs High entropy of concatenated method names: 'KhU8hZchsL', 'yqC3krXQxcEcW5keFOE', 'N8GSWGXGSTG4IWr4HdK', 'My0HEiXZOSmK2JyBdMk', 'qJbgenX5HhlpZZHdwr1', 'GLHUsUXvLLqk1Pi2Zl1', 'uRCTF1XAqfwaRTF7pMu'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.5f10000.10.raw.unpack, pjfYpZqcSIBDon0A8DL.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'wF8qOJrkor', 'NtProtectVirtualMemory', 'nBZZeDF9eS4QjHVmJpm', 'PdlGX6FgJ2ng33FvkP6', 'PLx0gYFs8xx8Kb6KP53', 'LK2l2vFlsQkHkD8E7O8'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, heqkNqwlCACulDbN3p3.cs High entropy of concatenated method names: 'VBSw0m08RD', 'KLuwkKJKWH', 'bDjwgdX2Od', 'Bkqw1RkQwG', 'f9SGdclofkyU2eDytKw', 'n1YWJSlB6SB8sVydZYy', 'hmDo8IleahDr6T83PuE', 'cjJj1xl0RD65lh7owfD', 'xtPx97lky8CUIXMNuw3', 'j6MEdClCsOKnsnUtQUT'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'PixvAygvA7m41KAf5yJ'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, KwrHxD8pkmnaxCCr3Jh.cs High entropy of concatenated method names: 'Tf58aIim26', 'AOo8f5pQiD', 'yik8XDBs2N', 'cuY8jQeeO7', 'bY68FbsEIg', 'f50ci0XSYHeELwT9ZVQ', 'K7a08DXyZrtZencBnRO', 'hc2nKOXii9TaXP8mU2O', 'yDB1TrXbKIcI5e52DMF', 'nC1QojX7CNpSWsN6aNW'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, updkuA8sC2UZns1Ju8h.cs High entropy of concatenated method names: 'wPL89SuqBs', 'um18gFGRMm', 'YJF81yxHY2', 'cH3AxbjssaQDnh1u680', 'GMEbaVjlxkJjgtSn4xf', 'eNrKakj9l9iWLF7Dpii', 'RiYf5ujgsFf0b4a8uPy', 'lcwBFejjj7uNPcy22i6', 'zQKiMgjF925VN4aM6IZ', 'QoRTDKj1XPUV7mA3PPd'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, hhQOFgmJo0AVOZ47Kvp.cs High entropy of concatenated method names: 'AxEmPGKoWU', 'dDdKElgYpjWQiARIrQJ', 'PItY0Qgt3AGekSZfkxw', 'denAiKgVpTKFoDMjShU', 'Gjk2j1g8BZg0xynaayX', 'YN672pgq9yueerhhT6i', 'XsYSkkgIpapWXJGLCXD', 'S5RvMNgUsYfsdEtVqbU', 'ViUXqagwjkB9SBUN1C5', 'ScRQicgmJ71P3t68TBM'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, GnryndwZZGbsDI7FinL.cs High entropy of concatenated method names: 'fG3w3jj64U', 'm4FLCa9qq2c7X2gG7uk', 'MoRfL49IVpSPX6iJutE', 'f4H2G09UbJYAlHCQnXJ', 'fx3tBe9w4XNuFDp1VtS', 'zv1VKK9mfx23KFfnlUd', 'yO2Kj69nyd2iWg4WeMk', 'psN4Ig9VuMUPhAyuFlI', 'u3rfwF98bmRrSXAFmUW'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, DbiVHCwTMpnNHCI9yqF.cs High entropy of concatenated method names: 'raHwSMvlRG', 'eNuwiyhbiC', 'ObAwygoG78', 'zjRkIC9L87gWIIeLlpB', 'ye87hI9dYiKsZCc6Xyx', 'stvB1R9J2Kdubs83XKQ', 'cUiGIl9P30NEKqQdchH', 'MsqLEW92TUWgwmviv2m', 'RjxeMp9WV1kwSp4yf0w'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, TRBc3ddCa5DCEp0DmL.cs High entropy of concatenated method names: 'sImP0KK1f', 'oQs2oJI5F', 'neMcxUykv', 'TR1Hh83oO', 'kekLqZUwo', 'stiYUgaZ54iWyxywew9', 'tfcqMWa5DDcXBGfBkD0', 'JGCCRHa31ZbYfxgHLAo', 'hicm2CaTehE4vd2o2CV', 'dB3Utsa4vE3f7XULWmc'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, lBsNcDwu5L8LBIpUQ9t.cs High entropy of concatenated method names: 'kP0wpVQ95R', 'RGBZr4s6f3ERsIH2wQ5', 'HybkgysE9Y8MglAoaCJ', 'TX37LxszVlWi07dhnCW', 'rwkUbYlKGEGdZe6BTBQ', 'lckqQys7t0VP6pOZP92', 'yUDIlpsDTDx8aVA3V9T'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, eRyrb2uMR8r6A8nWGy.cs High entropy of concatenated method names: 'd6epyMr0M', 'UikNoc7pj', 'WgYfi19Nk', 'vO8abBJCB', 'FulPI6abCuVSCunauab', 'iOXh5ma70O2HXsOsb74', 'za3fCfaD4QobTBZtiYC', 'K3j8wsa6SDh5THnsGJf', 'ohpimIaE11UL9WZl5p0', 'HYmffvaznMZEr26sI9P'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, VrrLi8qNmMxuWnu3hJ3.cs High entropy of concatenated method names: 'MvsqlyCVSD', 'zseLtLF4wXjnYGS7A59', 'vH5DIMFS2Ult1QFsChe', 'geIg1MFycQAsgdkeMR3', 'eXL1pVF3HaSNA5mGsFo', 'ivE3ClFTRQ075xbi8Pi', 'OhmvOhFvlTUfMqRwJTb', 'UkpxOOFAQNprepksP54'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, gBtcIR8RcjgM3DoqN8n.cs High entropy of concatenated method names: 'KhU8hZchsL', 'yqC3krXQxcEcW5keFOE', 'N8GSWGXGSTG4IWr4HdK', 'My0HEiXZOSmK2JyBdMk', 'qJbgenX5HhlpZZHdwr1', 'GLHUsUXvLLqk1Pi2Zl1', 'uRCTF1XAqfwaRTF7pMu'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, lrNxUhrjMFMbZMAZyLr.cs High entropy of concatenated method names: 'jiQrCTlsXi', 'GHUrvaKMZK', 'tBFrAUhqUV', 'K9srQtpMt8', 'cGZrG5kgg1', 'gbXrZFcoDE', 'Do4r5P155E', 'z0Br3LCb3Y', 'AxYrTZ3Vpx', 'nhYr4lumfc'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, TFsuXEwedua0Zs6ue3S.cs High entropy of concatenated method names: 'cscwv1GwS9', 'S5sjenl5DvJcD0iGX59', 'XOcomjl38bs8Zk69D2Q', 'xaWF3nlTD9TVoqMgkrR', 'nhXrpal4gMQTbJ26Yl0', 'yoqCvHlSY59pVSvGpGr', 'EHFYDVlyXg6UH95aZwS', 'xLgYAEliRuklB2AWJxL', 'bW9hmklbuyeAJvHZBME', 'bKTHKBl7TVc93BBjXt5'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, chTFiqmX7e7ryBTtveH.cs High entropy of concatenated method names: 'LYmFP41xlpo0hNNVZKf', 'R7MRXI1RWCOnvotFFZ2', 'qj3rVBAkl2', 'oJaRbB1NyJyfo3jm1LL', 'M82O471aNjpKmaQWeTl', 'LwLfWP1fPrM5ud6Vd3x', 'UptQY81X8GLmP5BDrl1', 'JIWFvK1jg4Ypj6tItCf', 'vo6oHt1FlV2Rt8ExsKL', 'G67JLk1sNPEjmy7JFln'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, NJ7wh3mma5HZkZWpByp.cs High entropy of concatenated method names: 'iZ9mrD1shM', 'Rnimdyi8CZ', 'CEHdt59BTopQ9cPo30c', 'aue37f9eVYaG0b3aBaB', 'PB5dQr9CvLBWIYTbjda', 'WqB1Cw9kDy9TDguj4s8', 'oEvI7B9oDmeNOYdSjvg', 'NnYwm89vTGDZFEbD53e', 'xle71D9ADnB3dBqt0r0', 'dwhv2e9QgGl4GahJhmq'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, qYVYxywjI8IFriOuxfs.cs High entropy of concatenated method names: 'AF4wsN5wdU', 'tMGgTGlFPPa7cEsZ7Xn', 'X3MX5dls333Z8jQM9FP', 'IwuXO0ll2FHC8FmTCyh', 'ipco2ml9rbpHHvsgVRr', 'yaBm2flgHVOuauFSGBP', 'FdAevXlXk9W3uhhVuiM', 'sJJFDGljS2Q342J864d'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, pjfYpZqcSIBDon0A8DL.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'wF8qOJrkor', 'NtProtectVirtualMemory', 'nBZZeDF9eS4QjHVmJpm', 'PdlGX6FgJ2ng33FvkP6', 'PLx0gYFs8xx8Kb6KP53', 'LK2l2vFlsQkHkD8E7O8'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, CAPgMKwNAycR4TecKa7.cs High entropy of concatenated method names: 'mAgwfFZn3o', 'i4JwX8BS9G', 'qvZn7IlYJmIxnyXNgPl', 'mNl30Hlt7a1VuhgXN5p', 'grdQxRlVlbetyAVCdMc', 'lVY3Bql8elcASphf8ID', 'xoe85rlqrEPp3o74cse', 'aInTIYlIctOHhys1utB', 'SdTeoYlUcAnx8xZqAVY', 'vmAL8UlwpgJtJywnRgG'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, CkVlbirSXM6AQp3rRa7.cs High entropy of concatenated method names: 'fAqcW0KoYh', 'URAccbmNFA', 'h9bcH0bOUm', 'SM8cOWbhqc', 'jMTcxZ9qRS', 'CmLcRJdHKw', 't7ccuj5unf', 'MkQd2CBPp5', 'yrmchL0T1Z', 'oMAcpi8X74'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, x54erRm25yvmswt7S15.cs High entropy of concatenated method names: 'liEmcvZB29', 'mPgmHxjUht', 'Jt9iYfgL6kYwp0ZZrx4', 'c25mSNgP3yWWbmsqcWR', 'fag2ZWg2dTonGtu1Z6S', 'xyUyqngdMcrUZZWAk5c', 'mDqSA7gJVCtYePDQTKf', 'aRPy41gWVEaSOm9je6m', 'S9gqQKgcJLHdvXseSHW', 'RbupwbgHD6AEWbcLy9i'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, H1OubCYWg6yp8vlyifr.cs High entropy of concatenated method names: 'yUvYHxicFk', 'l4CXX2fXZxwVZDWkMGm', 'lUJd9afj32kuAm1wwIL', 'qqhjj2fFbCtRPivFJaC', 'AUQPudfsyDOrrgP1RpG', 'S4HxDBfl2oGETjRUSV2', 'UyrK1Yf9306yIjkCYwg', 'CieebFfgeHG5U9UndRm', 'gy7N4jf1JvsfGw5cx0W', 'PnA0eff0bZrkBGyyqpQ'
Source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.44a2610.2.raw.unpack, a6ighGqMD3hYU58ep8h.cs High entropy of concatenated method names: 'DiSqtYxU0U', 'e3Eq88W0qk', 'LkcqIl4iRK', 'WH2qw7y6Xl', 'lO3qm6DKJO', 'Lauqnkhppy', 'gC2qrQyqGR', 'T9nqds1fQB', 'Q4jqJ2c2Sm', 'LE7qLL8NTI'
Drops PE files
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe File created: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Jump to dropped file
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Eggdjjrhey Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Eggdjjrhey Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Richardson Electronics, LTD. PRD10221301UUE.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 7152, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2177833444.0000000002D88000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2327778523.00000000024E7000.00000004.00000800.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000008.00000002.2416647323.0000000002851000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory allocated: 12C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory allocated: 2D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: 22F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: 24A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: 44A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: 27A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2CE0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2EC0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2CE0000 memory reserve | memory write watch
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: Eggdjjrhey.exe, 00000008.00000002.2413757983.0000000000AB6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: Eggdjjrhey.exe, 00000008.00000002.2416647323.0000000002851000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: InstallUtil.exe, 00000005.00000002.2437678396.0000000005AD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: Eggdjjrhey.exe, 00000008.00000002.2416647323.0000000002851000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: Richardson Electronics, LTD. PRD10221301UUE.exe, 00000000.00000002.2176292945.0000000001032000.00000004.00000020.00020000.00000000.sdmp, Eggdjjrhey.exe, 00000003.00000002.2323632426.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.3404752463.0000000006170000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000002.00000002.2324000943.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllll
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 750000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 750000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: BC6008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 750000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 752000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 78C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 78E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 51C008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D45008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Queries volume information: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Queries volume information: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Queries volume information: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Eggdjjrhey.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Richardson Electronics, LTD. PRD10221301UUE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2362069803.000000000361D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2418121035.000000000289E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3390128191.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2195447093.0000000003E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2416647323.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2330100397.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2195447093.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2449682974.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2418121035.000000000285C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2327778523.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2322422336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2177833444.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3390128191.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2330100397.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Richardson Electronics, LTD. PRD10221301UUE.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6092, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2362069803.000000000361D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2195447093.0000000003E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2416647323.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2195447093.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2449682974.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2418121035.000000000285C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2327778523.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2322422336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2177833444.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2330100397.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Richardson Electronics, LTD. PRD10221301UUE.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6092, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Richardson Electronics, LTD. PRD10221301UUE.exe.3e24a70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2362069803.000000000361D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2418121035.000000000289E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3390128191.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2195447093.0000000003E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2416647323.0000000002A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2330100397.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2195447093.0000000003EBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2449682974.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2418121035.000000000285C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2327778523.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2322422336.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2177833444.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3390128191.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2330100397.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Richardson Electronics, LTD. PRD10221301UUE.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 936, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eggdjjrhey.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6092, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520579 Sample: Richardson Electronics, LTD... Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 30 wymascensores.com 2->30 32 ftp.alternatifplastik.com 2->32 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 10 other signatures 2->52 7 Richardson Electronics, LTD. PRD10221301UUE.exe 16 4 2->7         started        12 Eggdjjrhey.exe 14 2 2->12         started        14 Eggdjjrhey.exe 2 2->14         started        signatures3 process4 dnsIp5 34 wymascensores.com 67.212.175.162, 443, 49710, 49715 SINGLEHOP-LLCUS United States 7->34 24 C:\Users\user\AppData\...ggdjjrhey.exe, PE32 7->24 dropped 26 C:\Users\...ggdjjrhey.exe:Zone.Identifier, ASCII 7->26 dropped 54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->54 56 Writes to foreign memory regions 7->56 58 Allocates memory in foreign processes 7->58 16 InstallUtil.exe 14 2 7->16         started        60 Multi AV Scanner detection for dropped file 12->60 62 Machine Learning detection for dropped file 12->62 64 Injects a PE file into a foreign processes 12->64 20 InstallUtil.exe 2 12->20         started        22 InstallUtil.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 ftp.alternatifplastik.com 5.2.84.236, 21, 49712, 49713 ALASTYRTR Turkey 16->28 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->36 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->38 40 Tries to steal Mail credentials (via file / registry access) 22->40 42 Tries to harvest and steal ftp login credentials 22->42 44 Tries to harvest and steal browser information (history, passwords, etc) 22->44 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.212.175.162
 wymascensores.com United States
32475 SINGLEHOP-LLCUS true
5.2.84.236
 ftp.alternatifplastik.com Turkey
3188 ALASTYRTR true

Contacted Domains

Name IP Active
wymascensores.com 67.212.175.162 true
ftp.alternatifplastik.com 5.2.84.236 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://wymascensores.com/john/Teoecc.wav true
    		unknown