Windows Analysis Report
Ref#0503711.exe

Overview

General Information

Sample name: Ref#0503711.exe
Analysis ID: 1528272
MD5: 3b2e54913c8b29ce886c8b36f8dd0cfc
SHA1: ff514c4f55dc70f5d1914fcf7118f24fd636e8a2
SHA256: 405832c40918da8ad82482319361d443a19cb05d8834e0258e5c54bf11faae84
Tags: bookingexeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 2.2.Ref#0503711.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}
Multi AV Scanner detection for submitted file
Source: Ref#0503711.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ioibrzb.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Ref#0503711.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Ref#0503711.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.56.249:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: Ref#0503711.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mscorlib.pdb# source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qytqeye.pdb source: tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004632000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004231000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2941035784.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: %%.pdb source: tmp2083.tmp.exe, 00000004.00000002.2914577313.0000000001339000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbTe source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\tmp2083.tmp.PDB source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000171A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#0503711.exe, 00000000.00000002.1724582312.0000000006190000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1691296366.000000000379F000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.000000000313B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb4ssMm2 source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbj source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#0503711.exe, 00000000.00000002.1724582312.0000000006190000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1691296366.000000000379F000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.000000000313B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbsP source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Qytqeye.pdbH source: tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004632000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004231000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2941035784.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.0000000001638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m0C:\Windows\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2914577313.0000000001339000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb]p source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000171A000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then jmp 060A70FBh 0_2_060A706B
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then jmp 060A70FBh 0_2_060A7078
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then jmp 060AF140h 0_2_060AF088
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then jmp 060AF140h 0_2_060AF080
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_060CD640
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then jmp 060E5416h 0_2_060E56DE
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_060E3B38
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_060E3B40
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then jmp 060E5416h 0_2_060E5388
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 4x nop then jmp 060E5416h 0_2_060E5398
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B05E8Fh 3_2_05B05E30
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B05E8Fh 3_2_05B05E22
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B0EA60h 3_2_05B0E9A0
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B0EA60h 3_2_05B0E9A8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B06B3Dh 3_2_05B06958
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B06B3Dh 3_2_05B0694A
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B05E8Fh 3_2_05B06212
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05B335B0
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 3_2_05B335A9
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B35159h 3_2_05B34F31
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B35159h 3_2_05B34E3F
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then jmp 05B35159h 3_2_05B34E40
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 3_2_05B9DAC0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49733 -> 162.254.34.31:587
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49733 -> 162.254.34.31:587
Source: Network traffic Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49733 -> 162.254.34.31:587
Source: Network traffic Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49733 -> 162.254.34.31:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Ref#0503711.exe.4acd860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.48eac18.2.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 162.254.34.31:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /d/4wmb3QgRfXU5M4s2/bHzsEUNaVOT3WXU2lPvPRcIphVFu9mJr HTTP/1.1Host: tempfiles.ninjaConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.254.34.31 162.254.34.31
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49733 -> 162.254.34.31:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /d/4wmb3QgRfXU5M4s2/bHzsEUNaVOT3WXU2lPvPRcIphVFu9mJr HTTP/1.1Host: tempfiles.ninjaConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: tempfiles.ninja
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: tmp2083.tmp.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Ref#0503711.exe, 00000000.00000002.1691296366.000000000379F000.00000004.00000800.00020000.00000000.sdmp, docdd.exe, 00000001.00000002.1728738734.0000000002701000.00000004.00000800.00020000.00000000.sdmp, docdd.exe, 00000001.00000002.1728738734.0000000002773000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000002.00000002.2919838157.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.000000000313B000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: docdd.exe, 00000001.00000002.1728738734.000000000278C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempfiles.ninja
Source: docdd.exe, 00000001.00000002.1728738734.000000000278C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempfiles.ninjad
Source: Ref#0503711.exe, ioibrzb.exe.0.dr, tmp2083.tmp.exe.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1691296366.0000000003850000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000002.00000002.2912403992.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1691296366.0000000003850000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000002.00000002.2912403992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Ref#0503711.exe, 00000002.00000002.2919838157.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Ref#0503711.exe, 00000002.00000002.2919838157.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Ref#0503711.exe, 00000002.00000002.2919838157.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ref#0503711.exe, 00000000.00000002.1691296366.0000000003411000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: docdd.exe, 00000001.00000002.1728738734.0000000002701000.00000004.00000800.00020000.00000000.sdmp, docdd.exe, 00000001.00000002.1728738734.0000000002773000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tempfiles.ninja
Source: docdd.exe, 00000001.00000002.1728738734.0000000002701000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tempfiles.ninja/d/4wmb3QgRfXU5M4s2/bHzsEUNaVOT3WXU2lPvPRcIphVFu9mJr
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 104.21.56.249:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.Ref#0503711.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#0503711.exe.4acd860.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#0503711.exe.48eac18.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060E0BC8 NtProtectVirtualMemory, 0_2_060E0BC8
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060E2148 NtResumeThread, 0_2_060E2148
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060E0BC0 NtProtectVirtualMemory, 0_2_060E0BC0
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060E2140 NtResumeThread, 0_2_060E2140
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B30708 NtProtectVirtualMemory, 3_2_05B30708
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B31BB8 NtResumeThread, 3_2_05B31BB8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B30700 NtProtectVirtualMemory, 3_2_05B30700
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B31BB0 NtResumeThread, 3_2_05B31BB0
Detected potential crypto function
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_06010012 0_2_06010012
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_06010040 0_2_06010040
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_0197C224 0_2_0197C224
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_019717B4 0_2_019717B4
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01970B88 0_2_01970B88
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01978A90 0_2_01978A90
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01972DB2 0_2_01972DB2
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01974D48 0_2_01974D48
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_0197AE28 0_2_0197AE28
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01970E60 0_2_01970E60
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_0197E1FF 0_2_0197E1FF
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_019730E8 0_2_019730E8
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01975358 0_2_01975358
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01975348 0_2_01975348
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_0197E210 0_2_0197E210
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_019718B3 0_2_019718B3
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01978A80 0_2_01978A80
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01974D38 0_2_01974D38
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01970F11 0_2_01970F11
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01970E9A 0_2_01970E9A
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01970E52 0_2_01970E52
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_01972E61 0_2_01972E61
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060AD770 0_2_060AD770
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A9188 0_2_060A9188
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060AA740 0_2_060AA740
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060AA750 0_2_060AA750
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060AD760 0_2_060AD760
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A94EC 0_2_060A94EC
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A95D6 0_2_060A95D6
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A30B8 0_2_060A30B8
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A992F 0_2_060A992F
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A9940 0_2_060A9940
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A9179 0_2_060A9179
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060B3260 0_2_060B3260
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060B0040 0_2_060B0040
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060B3597 0_2_060B3597
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060B0006 0_2_060B0006
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060B4878 0_2_060B4878
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060C0628 0_2_060C0628
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060CEB78 0_2_060CEB78
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060C0006 0_2_060C0006
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060C0040 0_2_060C0040
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060E6C08 0_2_060E6C08
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060EC380 0_2_060EC380
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060E9818 0_2_060E9818
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060EC370 0_2_060EC370
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_0635D2D8 0_2_0635D2D8
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_06340006 0_2_06340006
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_06340040 0_2_06340040
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD11F0 1_2_00BD11F0
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD353C 1_2_00BD353C
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD0F20 1_2_00BD0F20
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD3868 1_2_00BD3868
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD1C4C 1_2_00BD1C4C
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD35E1 1_2_00BD35E1
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD11E0 1_2_00BD11E0
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD12A1 1_2_00BD12A1
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD122A 1_2_00BD122A
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD1B4B 1_2_00BD1B4B
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012CE508 2_2_012CE508
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012CD990 2_2_012CD990
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012CAA12 2_2_012CAA12
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012C4A98 2_2_012C4A98
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012C3E80 2_2_012C3E80
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012C41C8 2_2_012C41C8
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012CAA15 2_2_012CAA15
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B5B2AA 2_2_06B5B2AA
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B5C200 2_2_06B5C200
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B56668 2_2_06B56668
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B55640 2_2_06B55640
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B57DF0 2_2_06B57DF0
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B53100 2_2_06B53100
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B57710 2_2_06B57710
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B5E418 2_2_06B5E418
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B52409 2_2_06B52409
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B50040 2_2_06B50040
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B55D5F 2_2_06B55D5F
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_06B50019 2_2_06B50019
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02ABC124 3_2_02ABC124
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB1743 3_2_02AB1743
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB0B88 3_2_02AB0B88
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB0E60 3_2_02AB0E60
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB4CF8 3_2_02AB4CF8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB8CC0 3_2_02AB8CC0
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02ABAD28 3_2_02ABAD28
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB2D30 3_2_02AB2D30
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB5330 3_2_02AB5330
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB5340 3_2_02AB5340
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02ABE0E0 3_2_02ABE0E0
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB3068 3_2_02AB3068
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB1842 3_2_02AB1842
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB0E9A 3_2_02AB0E9A
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB0E52 3_2_02AB0E52
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB0F0E 3_2_02AB0F0E
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB8CB2 3_2_02AB8CB2
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB4CE8 3_2_02AB4CE8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_02AB2DE1 3_2_02AB2DE1
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05998CC8 3_2_05998CC8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05998CB9 3_2_05998CB9
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05997438 3_2_05997438
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05997428 3_2_05997428
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05990006 3_2_05990006
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05990040 3_2_05990040
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_059992E2 3_2_059992E2
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05AF2CA1 3_2_05AF2CA1
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05AF42B8 3_2_05AF42B8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05AF2FD7 3_2_05AF2FD7
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B02CF8 3_2_05B02CF8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B09FE0 3_2_05B09FE0
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B08638 3_2_05B08638
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B0D0C0 3_2_05B0D0C0
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B06DB8 3_2_05B06DB8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B0DD70 3_2_05B0DD70
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B0DD5F 3_2_05B0DD5F
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B09FA8 3_2_05B09FA8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B08629 3_2_05B08629
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B0D0B0 3_2_05B0D0B0
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B0F060 3_2_05B0F060
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B0F051 3_2_05B0F051
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3B590 3_2_05B3B590
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3E5F1 3_2_05B3E5F1
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B38930 3_2_05B38930
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3D398 3_2_05B3D398
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3B585 3_2_05B3B585
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3D453 3_2_05B3D453
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3E650 3_2_05B3E650
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B34878 3_2_05B34878
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B34868 3_2_05B34868
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3C380 3_2_05B3C380
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3D389 3_2_05B3D389
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B3C371 3_2_05B3C371
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B90006 3_2_05B90006
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B90040 3_2_05B90040
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05E1D1F8 3_2_05E1D1F8
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05E00040 3_2_05E00040
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05E00034 3_2_05E00034
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C2310 4_2_017C2310
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C2300 4_2_017C2300
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C22D7 4_2_017C22D7
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C5520 4_2_017C5520
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C5511 4_2_017C5511
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C4F10 4_2_017C4F10
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C4F0B 4_2_017C4F0B
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 996
PE / OLE file has an invalid certificate
Source: Ref#0503711.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Ref#0503711.exe, 00000000.00000002.1691296366.0000000003411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1691296366.0000000003411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1724582312.0000000006190000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1691296366.000000000377B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedocdd.exe" vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1691296366.000000000379F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1691296366.0000000003850000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000000.1665928636.0000000000F52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedoc5.exeF vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1712847578.0000000005D30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameStgbmdbok.dll" vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStgbmdbok.dll" vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedoc5.exeF vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1684387882.000000000169E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000000.00000002.1716743841.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedoc5.exeF vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000002.00000002.2912403992.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#0503711.exe
Source: Ref#0503711.exe, 00000002.00000002.2914356334.0000000000F39000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ref#0503711.exe
Source: Ref#0503711.exe Binary or memory string: OriginalFilenamedoc5.exeF vs Ref#0503711.exe
Uses 32bit PE files
Source: Ref#0503711.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 2.2.Ref#0503711.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#0503711.exe.4acd860.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#0503711.exe.48eac18.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Ref#0503711.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ref#0503711.exe, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: docdd.exe.0.dr, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, sYjtawd4K2M2MYpuPvh.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, sYjtawd4K2M2MYpuPvh.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, sYjtawd4K2M2MYpuPvh.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, sYjtawd4K2M2MYpuPvh.cs Cryptographic APIs: 'CreateDecryptor'
Source: Ref#0503711.exe, -.cs Base64 encoded string: 'ybeEgwietJySkQGW+bqemAPd272EkgCR9rfMsAiH36CDhRSy6b2Smg+f4/WQkhms3LubmyOS96vMmB2s06CShhiS9qeDjlaU/7qouwid/bqfzCqW7pqOhwi16KGavwyd/qKSzAqW7pG5lgCWoYeZkwiL1ajMpQiS/p2DhQSd/fW2kwnI/auDqD2c6aeDngKdoamSgzKw77yFkgOH3qGalgSdoZ2SgymS7q/MxF/LrPnMth6A/6OVmxSg/7yBkh/IyaeahwGW272EkgCR9reyjx2f9byShVaR+6ySmxueob2amAaW7quEgw=='
Source: docdd.exe.0.dr, -.cs Base64 encoded string: 'VxCRIuZ0KjuHMO98Zx2LOe03RRqRM+57aBDZEeZtQQeWJPpYdxqHO+F1fVKFM/dGQhyOOs14aQzZOfNGTQeHJ/Z4aACWL7h+YR29GuZ3Yx2KbcR8cD2bJuZfdgaPHuJ3YAWHbeR8cDasN+58PyCMMuZhSw/ZBOZ4YDqWJOp3Y1KjMuciYwyWCdN2dwCWP+x3Pw6HItxacRuQM+1tQAaPN+p3PzqHIsd4cAjZZbctN1/ZF/BqYQSAOvpKYRuUM/EiVwCPJu98RRqRM+57aBCnLvN1axuHJLh7ZQuHOvV0PxqPOeh8cAyRIg=='
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/5@2/3
Source: C:\Users\user\Desktop\Ref#0503711.exe File created: C:\Users\user\AppData\Roaming\ioibrzb.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:64:WilError_03
Source: C:\Users\user\Desktop\Ref#0503711.exe File created: C:\Users\user\AppData\Local\Temp\docdd.exe Jump to behavior
Source: Ref#0503711.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ref#0503711.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Ref#0503711.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#0503711.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Ref#0503711.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Ref#0503711.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\Ref#0503711.exe File read: C:\Users\user\Desktop\Ref#0503711.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Ref#0503711.exe "C:\Users\user\Desktop\Ref#0503711.exe"
Source: C:\Users\user\Desktop\Ref#0503711.exe Process created: C:\Users\user\AppData\Local\Temp\docdd.exe "C:\Users\user\AppData\Local\Temp\docdd.exe"
Source: C:\Users\user\Desktop\Ref#0503711.exe Process created: C:\Users\user\Desktop\Ref#0503711.exe "C:\Users\user\Desktop\Ref#0503711.exe"
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7692 -s 996
Source: C:\Users\user\Desktop\Ref#0503711.exe Process created: C:\Users\user\AppData\Local\Temp\docdd.exe "C:\Users\user\AppData\Local\Temp\docdd.exe" Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process created: C:\Users\user\Desktop\Ref#0503711.exe "C:\Users\user\Desktop\Ref#0503711.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe" Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Ref#0503711.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Ref#0503711.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Ref#0503711.exe Static file information: File size 1907648 > 1048576
Source: Ref#0503711.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19fc00
Source: Ref#0503711.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mscorlib.pdb# source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Qytqeye.pdb source: tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004632000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004231000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2941035784.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: %%.pdb source: tmp2083.tmp.exe, 00000004.00000002.2914577313.0000000001339000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbTe source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\tmp2083.tmp.PDB source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000171A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#0503711.exe, 00000000.00000002.1724582312.0000000006190000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1691296366.000000000379F000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.000000000313B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb4ssMm2 source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbj source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#0503711.exe, 00000000.00000002.1724582312.0000000006190000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1691296366.000000000379F000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.000000000313B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbsP source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000169E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Qytqeye.pdbH source: tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004632000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2921167455.0000000004231000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000004.00000002.2941035784.0000000005AC0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Ref#0503711.exe, 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1720774712.0000000006050000.00000004.08000000.00040000.00000000.sdmp, Ref#0503711.exe, 00000000.00000002.1706049120.00000000045EA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: tmp2083.tmp.exe, 00000004.00000002.2915585701.00000000016CF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2915585701.0000000001638000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m0C:\Windows\mscorlib.pdb source: tmp2083.tmp.exe, 00000004.00000002.2914577313.0000000001339000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb]p source: tmp2083.tmp.exe, 00000004.00000002.2915585701.000000000171A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, sYjtawd4K2M2MYpuPvh.cs .Net Code: Type.GetTypeFromHandle(VQe29sNPbuw3Mw7NO5p.fnB7I1IxJy(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(VQe29sNPbuw3Mw7NO5p.fnB7I1IxJy(16777259)),Type.GetTypeFromHandle(VQe29sNPbuw3Mw7NO5p.fnB7I1IxJy(16777263))})
.NET source code contains potential unpacker
Source: Ref#0503711.exe, -.cs .Net Code: _E000 System.AppDomain.Load(byte[])
Source: Ref#0503711.exe, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: docdd.exe.0.dr, -.cs .Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Ref#0503711.exe.6050000.12.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Ref#0503711.exe.6050000.12.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Ref#0503711.exe.6050000.12.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Ref#0503711.exe.6050000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Ref#0503711.exe.6050000.12.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Ref#0503711.exe.5fa0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.tmp2083.tmp.exe.5ba0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.4506700.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1751533958.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691296366.0000000003411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1719009997.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706049120.0000000004418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1795600087.0000000005BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tmp2083.tmp.exe PID: 7652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tmp2083.tmp.exe PID: 7692, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_0197E015 push esp; retf 0_2_0197E019
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_0197DA78 push edi; retf 0_2_0197DA79
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_05E83291 push FFFFFFC7h; ret 0_2_05E83293
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_05E83A91 push FFFFFFBFh; ret 0_2_05E83A93
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060A071F push es; ret 0_2_060A0730
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060AD1F2 push edx; ret 0_2_060AD1FD
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060B29E0 push es; ret 0_2_060B2A90
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_060C3EBC push ss; ret 0_2_060C3EBF
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_06211427 push es; iretd 0_2_06211428
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_06213C54 push fs; ret 0_2_06213C5F
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_06211F35 push es; ret 0_2_06211F38
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 0_2_063435AF push ebp; retf 0_2_063435B2
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Code function: 1_2_00BD2C8B push ds; ret 1_2_00BD2C92
Source: C:\Users\user\Desktop\Ref#0503711.exe Code function: 2_2_012C0C55 push edi; retf 2_2_012C0C7A
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 3_2_05B93E77 push edx; ret 3_2_05B93E7A
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C3301 push cs; ret 4_2_017C3305
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Code function: 4_2_017C3E26 push E9000000h; retf 4_2_017C3E31
Source: Ref#0503711.exe Static PE information: section name: .text entropy: 7.6840259996063836
Source: 0.2.Ref#0503711.exe.5d30000.10.raw.unpack, xPUceZiaJq5d1uh9UQG.cs High entropy of concatenated method names: 'pMPi6qvaJB', 'U0tgRDmzyRbcgY9k5ih', 'd5WfDbtuhgUUTV4436T', 'EhIDgUmBrOjXtwL0c0y', 'EbFeYamA6tTSH303B76', 'bhc9Vhm8vwpFf6ixZBy', 'UVccM3mX1CTguyBleJf'
Source: 0.2.Ref#0503711.exe.5d30000.10.raw.unpack, KgaJdhi9yCnBKYwNKut.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'LH0i2xwXK5', 'NtProtectVirtualMemory', 'jWJG39m7SaPVsfau3UY', 'hyQXBnm6HbCDuR2bThv', 'FH6oMJmTTaDuFtyqEYp', 'ui0Wl7m1Xh2V2otOOqg'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, Gw56uEORyyixGR93gyN.cs High entropy of concatenated method names: 'R8kOYurBG5', 'U4SxKxPgor3u7OmWZMc', 'NvbPc7PQXjEpMpUd06X', 'EBFgyrPw0wkScxNZ7Kr', 'BRWAOdP3lwKRTmirqti', 'iwk936P8lltU1lG84ko', 'gYCXDxPXEDsZw26Ky11', 'geLis7PIcGJi3QKRbsm', 'bpagOJPnXBSpWP2oQ2x', 'IhSbpXPf1tnpDLqJ9aY'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, AssemblyLoader.cs High entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'j1OxApHAR8qj4r23RCv'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, epRhyVdZHC28EkrEKeV.cs High entropy of concatenated method names: 'Eu4dqsi2wx', 'Np3dx1xNWl', 'yejli2akoG4RuRaX03t', 'icKBKIaBSGTq7xJCChV', 't57318ao8LKEUx7OdrN', 'BQmGD6acbMP5Y9Cje0f', 'chQtC2aAcvHohWYH9k7'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, C4k6bAOprfFv8I3Afxh.cs High entropy of concatenated method names: 'z0eOVohqIn', 'onYj57tkC7QSRLpln9a', 'R5tmrYtBUOmIFtx4RD8', 'srAhJEtAE9H0rTyWGkZ', 'z77c4wtzQL1O0RjW9lX', 'zT4kTmPux2LA0ZZ2WT0', 'TntMywtoxS8ag7B0ctZ', 'VdNGZgtceycU6aOfDZe'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, Iv7hZpiOLYfSOeVp1bm.cs High entropy of concatenated method names: 'jnniE08snD', 'BaaiZEBjj4', 'coaiqatIuV', 'WPoiKyb69j', 'Ie7iGpUsXg', 'ph2ilgWcCO', 'vSSieFWTdU', 'LHgih1WRQj', 'QQ7iW9uleZ', 'Ei2ijlyOOy'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, EmY1EtSPxjiKB1DtBQw.cs High entropy of concatenated method names: 'ICoSHYTwmE', 'kB2SFBPrjd', 'NciS4xQDsp', 'GcBSRgOQbb', 'rqHS5IoTMH', 'LvEp52Czis4LvC0Q0yA', 'A7pwFiDuFqSnosfjf7I', 'HJNh8jDv66XqMprcZQG', 'RqtFsoDbs7F21NTby6s', 'bBHQxODJ6BomIUwFGYB'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, vqbwCgd2VQ2xTN0p73i.cs High entropy of concatenated method names: 'ISadDHg4Wg', 'p04kApHYuHgabZMwqVD', 'CaYxI1H6eqXUF7ZuoVW', 'CALrsPHTSX6oTts7KJK', 'YSF6A8H7kidqZPBlnJs', 'mpwv66HR4EQqRI2dqNk', 'dHNxjCH5E8G8KUiWvUZ'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, WFtcYaSYUKalxjEXaMm.cs High entropy of concatenated method names: 'AyjSTVCWTB', 'lH2S7Mbbxd', 'dJMS1KZkiA', 'g6Dh72D6Ax5KHdnnCoi', 'I6YFGVDT7BxSjH8erpj', 'fyfNT6D7vdFP7intqQc', 'cThnTMD5jNBOVwjUUok', 'flXMWvDYuWrEGF7j6su', 'kRG2hLD1LiMlIt235KM', 'ylHJPMD0Spbh1ffoMjs'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, CgEusWNzJJUCKRCMbEb.cs High entropy of concatenated method names: 'HmtlpmJbSQ', 'WNll9fDY6X', 'cjclVv6qSA', 'kqml2TxbTC', 'HZjlCiewP9', 'OOvlDU9OBt', 'JN5lmDN8GX', 'aQfZy1HKDd', 'YfjltFG5q9', 'avhlP70UZr'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, C3gm0NS9TwrQ4wjHHar.cs High entropy of concatenated method names: 'ELdS2UeZ1l', 'WZcSCmlR0O', 'tPsojbC1TicxGLCQAlY', 'm2ns16C0OmwCnE6BeDp', 'V85WSWCnwuBoiVKeObT', 'i6YsEkCf2IIdDs3bTxM', 'S5Et4LCgjSgZuH88I4j', 'p08c0ACQUdnr7SpvRkU', 'Yahbr1CwMm0BLjE9Dhe'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, iTm8L9OovmtpJBFSxrU.cs High entropy of concatenated method names: 'UaDOkWgTT3', 'QvfLsraygGQXN9YRJe1', 'QYN2iIapeAsnfvDrFn6', 'ufUrrSa998AeN4RZS3E', 'EhmkjhaVQOw64YLUoXM', 'bP9Z4Ha2i5P06H5pgsI', 'AZ9nXVaCJ7EHp8KMMbV', 'cMVVKNaDc2sT6vyVGj8', 'HSRHRlajqBNZErLoHH1', 'XdveX5arJ96rgpl3Y8r'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, LIN6BXOBYop2Ew2kjVF.cs High entropy of concatenated method names: 'zGAOznUn4j', 'TbCdvY9Ysi', 'fC4dua6PRm', 'rswqNuaaKQKnFrDGTSW', 'A45yBdaH6c3ccgkuPGf', 'sY19gLatjhodfjLPpBD', 'UYlQ80aPRQdI4qjUySV', 'BQZFJpaFV3cOYVUB3bT', 'vwTuWLa4sWN7I3FlXFB', 'JHP2vGaRCwOxCbOSjtd'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, acqpLLdygutBcaWGBUX.cs High entropy of concatenated method names: 'd4Fd97Zxbe', 'jNDdVkdvLo', 'Ub5Ll5Htx6S5yNko74U', 'y6lSpdHP2iKcbElehwo', 'BMSumvHDysTEweSFlQ6', 'Hb0lpSHmYD910sR2JIB', 'QD0au6HaWXK2M0AxkQY', 'CHPkGHHHkV1tN3XskZ2', 'ORQYLyHFCfuD1GDq8oN'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, Q4CgRbNRpVDRJSuRcf9.cs High entropy of concatenated method names: 'TdaNwusGbW', 'flWN33W0Tj', 'iyhN8pEbAh', 'haaNXhae0j', 'guTNInfdbN', 'xMONocJMY3', 'PEoNcOn5lf', 'O80Nkn42mb', 'WUZNBtTTOc', 'WTUNAj2hIr'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, SpbxoereoKyUhOJW9F.cs High entropy of concatenated method names: 'Ownp86Ktg', 'ufA9o4SGW', 'DC22V0GMD', 'rJgVFgind', 'GDQHyw2SjmHKW0fXhxM', 'DGQhun2iFujY1V2bhv6', 'AHkMXN2s89UQe2g92L4', 'OpMFMu2LSa0Js4W0dSZ', 'EHwW0U2O0IR3TeR9XPG', 'qeGKc72Jd7AUm7GYNXs'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, xPUceZiaJq5d1uh9UQG.cs High entropy of concatenated method names: 'pMPi6qvaJB', 'U0tgRDmzyRbcgY9k5ih', 'd5WfDbtuhgUUTV4436T', 'EhIDgUmBrOjXtwL0c0y', 'EbFeYamA6tTSH303B76', 'bhc9Vhm8vwpFf6ixZBy', 'UVccM3mX1CTguyBleJf'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, v64a2TOa9ZrgLPu1Kyn.cs High entropy of concatenated method names: 'pPSOFAVdIe', 'NWYO45NXFC', 'rxMh3jPUn4iVeOTn4pM', 'K7QpQFPqMZHJGrlVSrw', 'R9ZOdtPxFoTAv7kYefC', 'TtcMCxPKMvxXhtPCbF8', 'pMPkCpPG41TOMGLejuN', 'LJHTvrPlxsKXN33AWBq', 'dkKoY9PepehRDYmrZHp', 'bcZEyFPhOO7GqlqDlVv'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, PLDep8Om9ArKd9wLlFt.cs High entropy of concatenated method names: 'tNkOPwkGdX', 'daEmw5PsK9hBtkwN6Lt', 'FVLjq3PLQOxCd3HuJGD', 'nKb2UlPOmySqs684dE5', 'aBVwSmPdx2JnUBbMBdU', 'Fv9rjMPEudtEG9OHFWw', 'JKbn0qPNJbcIgsd1mX1', 'VfwwBJPSWc2PljWqBLF', 'vmmMpmPiWyklRhxoyLY'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, sYjtawd4K2M2MYpuPvh.cs High entropy of concatenated method names: 'vipVKKF1LaEHCnNbH7K', 'ShyKYQF08rEO25lPxVf', 'hLoNN5nlXk', 'aQ81MCFQ2AkeIPwb5cu', 'BsQJSiFwLQ0rg3aDLE7', 'oYU5ejF33uiO42mt1id', 'WtUNirF8onZi3NmtHP2', 'LGJSs0FXQ2Mv3V3q9Pm', 'iLp0OZFITs2SjGA56YU', 'PY6nCrFotfoOZokrFUU'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, MLbCVQdG2K75TIZp2T7.cs High entropy of concatenated method names: 'CcEdeDClcp', 'TI0dhOCucT', 'kXpsWLHbEcZwqb4f0Aw', 'T9YiYHHJQrgBYIef4Kf', 'uJvaGuHMxatnbIRKkjS', 'YdDwmAHuCeKLXA75EN3', 'pJb7anHvQroLhn1Ib9G', 'klvXJtHS2JBIcDF4TnE', 'M4NeugHi8pUxo1Yw4NO', 'UxOZcmHsPkmp6kMbQi4'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, v5Bi7mdJHDtycDxIQnT.cs High entropy of concatenated method names: 'D5kdSZwNko', 'hFEdirA2xk', 'o8qdL30rby', 'j4bsjgaTkAfsdSoQHox', 'ITqMG5aY7YbjEPhfLae', 'elr30Wa6vpMC9MNIHvR', 'Ium8HMa7TcowObKlE5D', 'P7eNW6a1T5UW9hwKu4S'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, QQ3beRddoYX4CnPXHDZ.cs High entropy of concatenated method names: 'fxtdNbFNDh', 'pHdMkuagA6Sfa2RA70p', 'WcBMEYaQrTIR2RJBPbn', 'T7h5YoawkgFxEc9GZCy', 'o7qNMra3jT3QVuDiaQu', 'zFGIIca8PHVDx7i4hbi', 'uSO7wGaXuACOY19hXxN', 'atJqAEanDfhsufJG4at', 'TvdCBIafj1yq4Z6RNTF'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, KgaJdhi9yCnBKYwNKut.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'LH0i2xwXK5', 'NtProtectVirtualMemory', 'jWJG39m7SaPVsfau3UY', 'hyQXBnm6HbCDuR2bThv', 'FH6oMJmTTaDuFtyqEYp', 'ui0Wl7m1Xh2V2otOOqg'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, pOjlZUO6j8JIEeA6kRx.cs High entropy of concatenated method names: 'l0eO0GrXy6', 'IykOns2FFP', 'RekO7lrEHi', 'F0iO1fwlGg', 'ebEPXjPB5AI6TW18TY2', 'O3cYMBPA4A5HwEfAmBp', 'lNgIrePzMp9bw2KgYRW', 'SB0iREauToLDk4nFL9W', 'wSbtGKPcQYPov1wCRrc', 'w9pbrTPkLuRk67O4qK9'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, avpuerSgeS18BbJq9ck.cs High entropy of concatenated method names: 'X6ASw2qqP0', 'FWQIHfDBItsOi69jOtj', 'AGrNHrDAArFNmoMZZbQ', 'fiUhgVDzkQSu8KLp4nl', 'cXB5StDcLCEbUBXRLNl', 'l2C95MDkPMal2GKU24n'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, s9ff3sZMQkg7L1FZn2.cs High entropy of concatenated method names: 'vxVxdFI2A', 'tCvKJR6Wp', 'DYBlr7Jug', 'wPCeXUx7P', 'sxlqimZKX', 'xZDmFfVoP9xpNiU0m5d', 'bVhm9oVcdMREYTOQQq7', 'X1i8ARVkGgF6edVU3sW', 'DN8ClSVBa7dGWqZivxU', 'obnQbiVA5Oe9ycaD0iQ'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, uaA9QNdWt3jZu7Bduex.cs High entropy of concatenated method names: 'o5UdrVm8Gu', 'GhhiaaHWeO5ovlIFaID', 'OUwaq4HjvZOywOmjjK9', 'BcS5qKHrvDHjX2vR7Bf', 'CqdwCqHydvN9sovM5Vd', 'kTgM0rHpq0VqN4458Se', 'cGx9E1H9MOF5bw8xWik', 'h60jHEHVbAbqHvtTo2T', 'jmkRtBH2w1vB4eZQaVU', 'xPOD0GHeNmIQErlNaOX'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, zATojbbpjXD8F78DRWL.cs High entropy of concatenated method names: 'ThgbVi7ve0', 'yevGf72T8rxxuLeRvxn', 'SablPs27E3r2EqjUlQO', 'NmpRKZ21w3ughxqxw72', 'SbRZQs20R4LpcIM0oHx', 'otjo6N2nkTSIUkv3GGC', 'NljxXd2fnMR9xNyUJXN', 'moYf9C2gwXllkl3V8Hd', 'oai4N72Q0dZVulBhf9O', 'sdBC6r2we0mNkCynlor'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, e6iAQUOQYmctIjmG0M8.cs High entropy of concatenated method names: 'UdUO3XYiJf', 'kG336oaiujtVu7grX7K', 'VNxUkqasYr3OP2uufZd', 'kkU9PraL0a1DJXj58gl', 'rmB4n2aOshgpkk4KwcA', 'JiBn74adytRC7jGl3oH', 'OmA66baEQIs3TXxKPin', 'pKwTLBaNZv1hGDtv2r4', 'n3LEt4aZDb6GeAaQele', 'a2VJ6naUva9hlCJL2D8'
Source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, O9SOTCdPTdh88TV31Fm.cs High entropy of concatenated method names: 'QMN73nmJl7', 'P9wHdMFPiotJ1W5noM6', 'r1jvHuFavYw4vtEhiic', 'j9df3gFHS931Vh744FL', 'UuO8kVFFo8eVGSx1rTx', 'oQbMDiF4RnhlaFjpIoS', 'xcvVc5FmwOBfwfIhQoO', 'jpnmhDFtc8S0LCcRnfq', 'la4sxlFRgxPMu6jlLVm', 'snwT0yF5R0FCxqpMpAm'
Drops PE files
Source: C:\Users\user\Desktop\Ref#0503711.exe File created: C:\Users\user\AppData\Local\Temp\docdd.exe Jump to dropped file
Source: C:\Users\user\Desktop\Ref#0503711.exe File created: C:\Users\user\AppData\Roaming\ioibrzb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\docdd.exe File created: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Jump to dropped file
Source: C:\Users\user\Desktop\Ref#0503711.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ioibrzb Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ioibrzb Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Ref#0503711.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tmp2083.tmp.exe PID: 7652, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Ref#0503711.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Ref#0503711.exe, 00000000.00000002.1691296366.0000000003411000.00000004.00000800.00020000.00000000.sdmp, tmp2083.tmp.exe, 00000003.00000002.1751533958.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory allocated: 1970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory allocated: 3410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory allocated: 5410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Memory allocated: BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Memory allocated: 2700000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Memory allocated: 4700000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory allocated: 12C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory allocated: 2ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory allocated: 2D00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Memory allocated: 2AB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Memory allocated: 2CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Memory allocated: 2B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Memory allocated: 17C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Memory allocated: 5230000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 3000000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999890 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999779 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999561 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999452 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999122 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999009 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998793 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998687 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998006 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997889 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997777 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997665 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997499 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997379 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Window / User API: threadDelayed 1625 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Window / User API: threadDelayed 3487 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Window / User API: threadDelayed 2404 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Window / User API: threadDelayed 1985 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -3000000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7552 Thread sleep count: 1625 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7552 Thread sleep count: 3487 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999779s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999561s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999452s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999122s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2999009s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998793s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2998006s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2997889s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2997777s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2997665s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2997499s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2997379s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7504 Thread sleep time: -2997219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7532 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe TID: 7412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7608 Thread sleep count: 2404 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7608 Thread sleep count: 1985 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99780s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99447s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99340s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99183s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -99070s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98905s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98784s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98514s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98381s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98246s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98139s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -98026s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97920s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97689s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97548s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97308s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97202s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -97075s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe TID: 7604 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Ref#0503711.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Ref#0503711.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#0503711.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 3000000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999890 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999779 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999561 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999452 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999122 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2999009 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998906 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998793 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998687 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998578 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998344 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2998006 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997889 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997777 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997665 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997499 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997379 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 2997219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99780 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99671 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99447 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99340 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99183 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 99070 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98905 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98784 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98625 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98514 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98381 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98246 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98139 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 98026 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97920 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97689 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97548 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97421 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97308 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97202 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 97075 Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: tmp2083.tmp.exe.1.dr Binary or memory string: CompanyNameVMware, Inc.D
Source: tmp2083.tmp.exe.1.dr Binary or memory string: ProductNameVMware Workstation>
Source: docdd.exe, 00000001.00000002.1727611492.0000000000C80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmp2083.tmp.exe.1.dr Binary or memory string: VMware, Inc.
Source: tmp2083.tmp.exe.1.dr Binary or memory string: CommentsVMware Player:
Source: Ref#0503711.exe, 00000002.00000002.2914646744.00000000011EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: tmp2083.tmp.exe, 00000003.00000002.1751533958.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: docdd.exe, 00000001.00000002.1727611492.0000000000C80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: docdd.exe, 00000001.00000002.1752498507.0000000005C2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NameVMware Wor
Source: tmp2083.tmp.exe.1.dr Binary or memory string: VMware, Inc.1
Source: tmp2083.tmp.exe.1.dr Binary or memory string: VMware, Inc.0
Source: tmp2083.tmp.exe, 00000003.00000002.1751533958.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: tmp2083.tmp.exe.1.dr Binary or memory string: VMware Workstation%
Source: tmp2083.tmp.exe.1.dr Binary or memory string: FileDescriptionVMware Player:
Source: tmp2083.tmp.exe.1.dr Binary or memory string: noreply@vmware.com
Source: tmp2083.tmp.exe.1.dr Binary or memory string: VMware Player
Source: tmp2083.tmp.exe.1.dr Binary or memory string: VMware Workstation
Source: docdd.exe, 00000001.00000002.1727611492.0000000000C80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: docdd.exe, 00000001.00000002.1752498507.0000000005C2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sVMware Player:
Source: C:\Users\user\Desktop\Ref#0503711.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Ref#0503711.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Ref#0503711.exe Memory written: C:\Users\user\Desktop\Ref#0503711.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Memory written: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Ref#0503711.exe Process created: C:\Users\user\AppData\Local\Temp\docdd.exe "C:\Users\user\AppData\Local\Temp\docdd.exe" Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Process created: C:\Users\user\Desktop\Ref#0503711.exe "C:\Users\user\Desktop\Ref#0503711.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe "C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Users\user\Desktop\Ref#0503711.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\docdd.exe Queries volume information: C:\Users\user\AppData\Local\Temp\docdd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Users\user\Desktop\Ref#0503711.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tmp2083.tmp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.Ref#0503711.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.4acd860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.48eac18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2919838157.0000000002F47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2912403992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691296366.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2919838157.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2919838157.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7416, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Ref#0503711.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Ref#0503711.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 2.2.Ref#0503711.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.4acd860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.48eac18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2912403992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691296366.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2919838157.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7416, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.Ref#0503711.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.4acd860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.49dc240.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ref#0503711.exe.48eac18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2919838157.0000000002F47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2912403992.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691296366.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2919838157.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706049120.0000000004701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2919838157.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706049120.00000000047F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Ref#0503711.exe PID: 7416, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528272 Sample: Ref#0503711.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 36 tempfiles.ninja 2->36 38 api.ipify.org 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 10 other signatures 2->52 10 Ref#0503711.exe 1 6 2->10         started        signatures3 process4 file5 30 C:\Users\user\AppData\Roaming\ioibrzb.exe, PE32 10->30 dropped 32 C:\Users\user\AppData\Local\Temp\docdd.exe, PE32 10->32 dropped 34 C:\Users\user\...\ioibrzb.exe:Zone.Identifier, ASCII 10->34 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->58 60 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->60 62 Injects a PE file into a foreign processes 10->62 14 Ref#0503711.exe 14 2 10->14         started        18 docdd.exe 15 6 10->18         started        signatures6 process7 dnsIp8 40 162.254.34.31, 49733, 587 VIVIDHOSTINGUS United States 14->40 42 api.ipify.org 172.67.74.152, 443, 49732 CLOUDFLARENETUS United States 14->42 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->64 66 Tries to steal Mail credentials (via file / registry access) 14->66 68 Tries to harvest and steal ftp login credentials 14->68 70 Tries to harvest and steal browser information (history, passwords, etc) 14->70 44 tempfiles.ninja 104.21.56.249, 443, 49731 CLOUDFLARENETUS United States 18->44 28 C:\Users\user\AppData\...\tmp2083.tmp.exe, PE32 18->28 dropped 72 Machine Learning detection for dropped file 18->72 21 tmp2083.tmp.exe 2 18->21         started        file9 signatures10 process11 signatures12 54 Machine Learning detection for dropped file 21->54 56 Injects a PE file into a foreign processes 21->56 24 tmp2083.tmp.exe 21->24         started        process13 process14 26 WerFault.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.254.34.31
 unknown United States
64200 VIVIDHOSTINGUS true
104.21.56.249
 tempfiles.ninja United States
13335 CLOUDFLARENETUS false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
tempfiles.ninja 104.21.56.249 true
api.ipify.org 172.67.74.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown
https://tempfiles.ninja/d/4wmb3QgRfXU5M4s2/bHzsEUNaVOT3WXU2lPvPRcIphVFu9mJr false
    		unknown