Windows Analysis Report
jbuESggTv0.exe

Overview

General Information

Sample name: jbuESggTv0.exe
renamed because original name is a hash value
Original sample name: 13cb2135790780947be355c3c9ed42be1987c9e64d6cd0c43a5a4c5ae289dc30.exe
Analysis ID: 1562382
MD5: 2ed7362e959d42385d4e6d231a6840dd
SHA1: b3cc47ac92296d978fc991d9658c771f225dbf18
SHA256: 13cb2135790780947be355c3c9ed42be1987c9e64d6cd0c43a5a4c5ae289dc30
Tags: cia-tfexeuser-JAMESWT_MHT
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Drops VBS files to the startup folder
Drops large PE files
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\svcost.exe Avira: detection malicious, Label: HEUR/AGEN.1310409
Found malware configuration
Source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sendpcamill@juguly.shop", "Password": "rEBS93U9rKLG", "Host": "juguly.shop", "Port": "587", "Version": "5.1"}
Multi AV Scanner detection for submitted file
Source: jbuESggTv0.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\svcost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: jbuESggTv0.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: jbuESggTv0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49766 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49805 version: TLS 1.0
Source: jbuESggTv0.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: jbuESggTv0.exe, 00000000.00000002.1593158495.000000000436B000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1594608307.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: jbuESggTv0.exe, 00000000.00000002.1593158495.000000000436B000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1594608307.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \.PDb source: svcost.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 4x nop then jmp 02FD1C50h 0_2_02FD1B98
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 4x nop then jmp 02FD1C50h 0_2_02FD1B91
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 4x nop then jmp 05BC0A1Ch 0_2_05BC0D2E
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 4x nop then jmp 05BC0A1Ch 0_2_05BC0980
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 4x nop then jmp 05BC0A1Ch 0_2_05BC0931
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 4x nop then jmp 05BC0A1Ch 0_2_05BC0971
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0289F206h 3_2_0289F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0289FB90h 3_2_0289F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_0289E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_0289EB6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_0289ED4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05641011h 3_2_05640D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564F009h 3_2_0564ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564C041h 3_2_0564BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564DEA9h 3_2_0564DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564B791h 3_2_0564B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05640751h 3_2_056404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564E759h 3_2_0564E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564DA51h 3_2_0564D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564C8F1h 3_2_0564C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05641A38h 3_2_05641620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564F8B9h 3_2_0564F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05641A38h 3_2_05641610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564D1A1h 3_2_0564CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05641A38h 3_2_05641966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564BBE9h 3_2_0564B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05640BB1h 3_2_05640900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564EBB1h 3_2_0564E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564C499h 3_2_0564C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05641471h 3_2_056411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564F461h 3_2_0564F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 056402F1h 3_2_05640040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564E301h 3_2_0564E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564D5F9h 3_2_0564D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564FD11h 3_2_0564FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 0564CD49h 3_2_0564CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A8945h 3_2_065A8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A5D19h 3_2_065A5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A58C1h 3_2_065A5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A6171h 3_2_065A5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_065A36CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A6A21h 3_2_065A6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A65C9h 3_2_065A6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A6E79h 3_2_065A6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_065A33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_065A33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A72FAh 3_2_065A7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A02E9h 3_2_065A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A0B99h 3_2_065A08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A0741h 3_2_065A0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A7751h 3_2_065A74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A8001h 3_2_065A7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A0FF1h 3_2_065A0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A7BA9h 3_2_065A7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A5441h 3_2_065A5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 065A8459h 3_2_065A81B0
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 4x nop then jmp 05C7F5B8h 5_2_05C7F500
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 4x nop then jmp 05C70A1Ch 5_2_05C70D2E
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 4x nop then jmp 05C7F5B8h 5_2_05C7F4F9
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 4x nop then jmp 05C70A1Ch 5_2_05C70980
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 4x nop then jmp 05C70A1Ch 5_2_05C70971
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 4x nop then jmp 05C70A1Ch 5_2_05C70931
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 4x nop then jmp 05C70A1Ch 5_2_05C70BD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 00CAF1F6h 6_2_00CAF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 00CAFB80h 6_2_00CAF491
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_00CAE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05288945h 6_2_05288608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05287BA9h 6_2_05287900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05280FF1h 6_2_05280D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05288001h 6_2_05287D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05288459h 6_2_052881B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05285441h 6_2_05285198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 052802E9h 6_2_05280040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 052872FAh 6_2_05287050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05287751h 6_2_052874A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05280741h 6_2_05280498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05280B99h 6_2_052808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 052865C9h 6_2_05286320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05286A21h 6_2_05286778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 6_2_052833A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 6_2_052833B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05286E79h 6_2_05286BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 052858C1h 6_2_05285618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05285D19h 6_2_05285A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then jmp 05286171h 6_2_05285EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 6_2_052836CE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View IP Address: 172.67.177.134 172.67.177.134
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49815 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49793 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49760 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49778 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49772 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49812 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49799 -> 172.67.177.134:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49813 -> 172.67.177.134:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49766 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49805 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: InstallUtil.exe, 00000003.00000002.3819753587.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002843000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000293B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000292D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000003.00000002.3819753587.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C32000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002843000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000293B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002837000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000292D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000290D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002886000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000003.00000002.3819753587.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://ocsps.ssl.com0
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://ocsps.ssl.com0?
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://ocsps.ssl.com0_
Source: InstallUtil.exe, 00000003.00000002.3819753587.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000293B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000292D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000285B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: jbuESggTv0.exe, 00000000.00000002.1580157490.0000000003293000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1711136967.0000000003293000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: InstallUtil.exe, 00000003.00000002.3819753587.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002843000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000293B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000292D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002886000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002843000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000006.00000002.3819172841.0000000002886000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: InstallUtil.exe, 00000003.00000002.3819753587.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BAB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000293B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.000000000292D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002886000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1580157490.0000000003293000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1711136967.0000000003293000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: jbuESggTv0.exe, svcost.exe.0.dr String found in binary or memory: https://www.ssl.com/repository0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: InstallUtil.exe PID: 7636, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 7636, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Drops large PE files
Source: C:\Users\user\Desktop\jbuESggTv0.exe File dump: svcost.exe.0.dr 285155438 Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD5F68 NtResumeThread, 0_2_02FD5F68
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD3498 NtProtectVirtualMemory, 0_2_02FD3498
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD5F61 NtResumeThread, 0_2_02FD5F61
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD3490 NtProtectVirtualMemory, 0_2_02FD3490
Detected potential crypto function
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_01798A18 0_2_01798A18
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_0179CAE0 0_2_0179CAE0
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_01798A0B 0_2_01798A0B
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD0040 0_2_02FD0040
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD6A30 0_2_02FD6A30
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD6A21 0_2_02FD6A21
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD7078 0_2_02FD7078
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD7069 0_2_02FD7069
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_02FD003F 0_2_02FD003F
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_05BC0D2E 0_2_05BC0D2E
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_05BC0980 0_2_05BC0980
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_05BC0931 0_2_05BC0931
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_05BC0971 0_2_05BC0971
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_06C2DEF8 0_2_06C2DEF8
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_06C2E350 0_2_06C2E350
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_06C10040 0_2_06C10040
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_06C10007 0_2_06C10007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289B338 3_2_0289B338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289F017 3_2_0289F017
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_02896120 3_2_02896120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_028946D9 3_2_028946D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289B7E2 3_2_0289B7E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_02896748 3_2_02896748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289C762 3_2_0289C762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289C457 3_2_0289C457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289BAC0 3_2_0289BAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289CA42 3_2_0289CA42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_02899868 3_2_02899868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289BDA0 3_2_0289BDA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289C480 3_2_0289C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289B502 3_2_0289B502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289E527 3_2_0289E527
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0289E538 3_2_0289E538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_02893572 3_2_02893572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05647D90 3_2_05647D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05648460 3_2_05648460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05643870 3_2_05643870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05640D60 3_2_05640D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564ED60 3_2_0564ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564ED50 3_2_0564ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05640D51 3_2_05640D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564BD88 3_2_0564BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564BD98 3_2_0564BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564DC00 3_2_0564DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564B4E8 3_2_0564B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564B4D7 3_2_0564B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_056404A0 3_2_056404A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564E4A0 3_2_0564E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564E4B0 3_2_0564E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05640490 3_2_05640490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564D7A8 3_2_0564D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564D798 3_2_0564D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564C648 3_2_0564C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564C638 3_2_0564C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564F600 3_2_0564F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564F610 3_2_0564F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564CEEA 3_2_0564CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564CEF8 3_2_0564CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564B940 3_2_0564B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564B930 3_2_0564B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05640900 3_2_05640900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564E908 3_2_0564E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564C1E0 3_2_0564C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564C1F0 3_2_0564C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_056411C0 3_2_056411C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564F1A9 3_2_0564F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_056411B0 3_2_056411B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564F1B8 3_2_0564F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05643860 3_2_05643860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05640040 3_2_05640040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564E049 3_2_0564E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564E058 3_2_0564E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564001A 3_2_0564001A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_056408F0 3_2_056408F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564E8F8 3_2_0564E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564D340 3_2_0564D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564D350 3_2_0564D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_056473E8 3_2_056473E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564DBF1 3_2_0564DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564FA68 3_2_0564FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564FA59 3_2_0564FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564CAA0 3_2_0564CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0564CA90 3_2_0564CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AAA58 3_2_065AAA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AD670 3_2_065AD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A8608 3_2_065A8608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AB6E8 3_2_065AB6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AC388 3_2_065AC388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A8C51 3_2_065A8C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AA408 3_2_065AA408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AD028 3_2_065AD028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AB0A0 3_2_065AB0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065ABD38 3_2_065ABD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AC9D8 3_2_065AC9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A11A0 3_2_065A11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AAA48 3_2_065AAA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A5A70 3_2_065A5A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AD662 3_2_065AD662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A5A60 3_2_065A5A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A5618 3_2_065A5618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A560A 3_2_065A560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A8602 3_2_065A8602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AB6D9 3_2_065AB6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A5EC8 3_2_065A5EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A5EB8 3_2_065A5EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A6778 3_2_065A6778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AC378 3_2_065AC378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A6776 3_2_065A6776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A6312 3_2_065A6312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A3730 3_2_065A3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A6320 3_2_065A6320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A6BD0 3_2_065A6BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A6BC1 3_2_065A6BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AA3F8 3_2_065AA3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A33B8 3_2_065A33B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A33A8 3_2_065A33A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A7050 3_2_065A7050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A7049 3_2_065A7049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A0040 3_2_065A0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A2818 3_2_065A2818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AD018 3_2_065AD018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A0006 3_2_065A0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A2807 3_2_065A2807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A4430 3_2_065A4430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A08F0 3_2_065A08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A78F0 3_2_065A78F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A08E0 3_2_065A08E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A0498 3_2_065A0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AB090 3_2_065AB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A7497 3_2_065A7497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A0488 3_2_065A0488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A74A8 3_2_065A74A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A7D58 3_2_065A7D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A0D48 3_2_065A0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A7D48 3_2_065A7D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A7900 3_2_065A7900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A0D39 3_2_065A0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065ABD28 3_2_065ABD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065AC9C8 3_2_065AC9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A5198 3_2_065A5198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A1191 3_2_065A1191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A518A 3_2_065A518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A81B0 3_2_065A81B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A81A0 3_2_065A81A0
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_03098A18 5_2_03098A18
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_0309CAE0 5_2_0309CAE0
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_03098A1D 5_2_03098A1D
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_05C7D9A8 5_2_05C7D9A8
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_05C70D2E 5_2_05C70D2E
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_05C70980 5_2_05C70980
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_05C7D998 5_2_05C7D998
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_05C70971 5_2_05C70971
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_05C70931 5_2_05C70931
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_06D1DEF8 5_2_06D1DEF8
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_06D1E350 5_2_06D1E350
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_06D00040 5_2_06D00040
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_06D00007 5_2_06D00007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CAF007 6_2_00CAF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CAC190 6_2_00CAC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CA6108 6_2_00CA6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CAB4F3 6_2_00CAB4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CAC470 6_2_00CAC470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CAC753 6_2_00CAC753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CA6730 6_2_00CA6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CA9858 6_2_00CA9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CA4AD9 6_2_00CA4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CACA33 6_2_00CACA33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CABBD3 6_2_00CABBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CABEB0 6_2_00CABEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CAE517 6_2_00CAE517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CAE528 6_2_00CAE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528BD38 6_2_0528BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528C9D8 6_2_0528C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528D028 6_2_0528D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528A408 6_2_0528A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528B0A0 6_2_0528B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05288B58 6_2_05288B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528C388 6_2_0528C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05288608 6_2_05288608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528D670 6_2_0528D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528AA58 6_2_0528AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528B6E8 6_2_0528B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528BD28 6_2_0528BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05280D39 6_2_05280D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05287900 6_2_05287900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05280D48 6_2_05280D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05287D48 6_2_05287D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05287D58 6_2_05287D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052811A0 6_2_052811A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052881A0 6_2_052881A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052881B0 6_2_052881B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528518A 6_2_0528518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05285198 6_2_05285198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05281191 6_2_05281191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052885FC 6_2_052885FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528C9C8 6_2_0528C9C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05284430 6_2_05284430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05280007 6_2_05280007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05282807 6_2_05282807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05282818 6_2_05282818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528D018 6_2_0528D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05280040 6_2_05280040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05287040 6_2_05287040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05287050 6_2_05287050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052874A8 6_2_052874A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05280488 6_2_05280488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528B08F 6_2_0528B08F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05280498 6_2_05280498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05287497 6_2_05287497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052808E0 6_2_052808E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052808F0 6_2_052808F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052878F0 6_2_052878F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05286320 6_2_05286320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05283730 6_2_05283730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05286312 6_2_05286312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528676A 6_2_0528676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05286778 6_2_05286778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528C378 6_2_0528C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052833A8 6_2_052833A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_052833B8 6_2_052833B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528A3F8 6_2_0528A3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05286BC1 6_2_05286BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05286BD0 6_2_05286BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528560A 6_2_0528560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05285618 6_2_05285618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05285A60 6_2_05285A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528D663 6_2_0528D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05285A70 6_2_05285A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528AA48 6_2_0528AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05285EB8 6_2_05285EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_05285EC8 6_2_05285EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_0528B6D9 6_2_0528B6D9
PE / OLE file has an invalid certificate
Source: jbuESggTv0.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: jbuESggTv0.exe, 00000000.00000002.1593158495.000000000436B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1593158495.000000000436B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEeuhgbvwp.dll" vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1574182774.00000000011FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000000.1345094713.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRef#105.exe8 vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1594888554.0000000005F30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameEeuhgbvwp.dll" vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1594608307.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1580157490.0000000003231000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1580157490.0000000003293000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs jbuESggTv0.exe
Source: jbuESggTv0.exe, 00000000.00000002.1580157490.0000000003814000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs jbuESggTv0.exe
Source: jbuESggTv0.exe Binary or memory string: OriginalFilenameRef#105.exe8 vs jbuESggTv0.exe
Uses 32bit PE files
Source: jbuESggTv0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: InstallUtil.exe PID: 7636, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 7636, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: jbuESggTv0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svcost.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@8/2@2/2
Source: C:\Users\user\Desktop\jbuESggTv0.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"
Source: jbuESggTv0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jbuESggTv0.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: InstallUtil.exe, 00000003.00000002.3819753587.0000000002CE7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002D2A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002D1E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3823820604.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002CD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.3819753587.0000000002CF6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000029BD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000006.00000002.3819172841.00000000029AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: jbuESggTv0.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\jbuESggTv0.exe File read: C:\Users\user\Desktop\jbuESggTv0.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\jbuESggTv0.exe "C:\Users\user\Desktop\jbuESggTv0.exe"
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe"
Source: C:\Users\user\AppData\Roaming\svcost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: jbuESggTv0.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: jbuESggTv0.exe Static file information: File size 1072096 > 1048576
Source: jbuESggTv0.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: jbuESggTv0.exe, 00000000.00000002.1593158495.000000000436B000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1594608307.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: jbuESggTv0.exe, 00000000.00000002.1593158495.000000000436B000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1594608307.0000000005BE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: jbuESggTv0.exe, 00000000.00000002.1602327042.00000000061C0000.00000004.08000000.00040000.00000000.sdmp, jbuESggTv0.exe, 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1721691566.0000000004231000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \.PDb source: svcost.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.jbuESggTv0.exe.436b830.3.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.jbuESggTv0.exe.431b810.1.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.jbuESggTv0.exe.5be0000.5.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.jbuESggTv0.exe.6320000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1605150480.0000000006320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1711136967.0000000003293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1580157490.0000000003293000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_05BC807D push eax; ret 0_2_05BC8141
Source: C:\Users\user\Desktop\jbuESggTv0.exe Code function: 0_2_06C135A6 push edi; retf 0_2_06C135AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_028924B9 push 8BFFFFFFh; retf 3_2_028924BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05642E60 push esp; iretd 3_2_05642E79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_065A3181 push ebx; retf 3_2_065A3182
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_05C78F95 push eax; ret 5_2_05C78FD9
Source: C:\Users\user\AppData\Roaming\svcost.exe Code function: 5_2_06D035A6 push edi; retf 5_2_06D035AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 6_2_00CA24B9 push 8BFFFFFFh; retf 6_2_00CA24BF
Source: jbuESggTv0.exe Static PE information: section name: .text entropy: 7.764858525500812
Source: svcost.exe.0.dr Static PE information: section name: .text entropy: 7.764858525500812
Drops PE files
Source: C:\Users\user\Desktop\jbuESggTv0.exe File created: C:\Users\user\AppData\Roaming\svcost.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\Desktop\jbuESggTv0.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\jbuESggTv0.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\jbuESggTv0.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svcost.vbs Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: jbuESggTv0.exe, 00000000.00000002.1580157490.0000000003293000.00000004.00000800.00020000.00000000.sdmp, svcost.exe, 00000005.00000002.1711136967.0000000003293000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory allocated: 1750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory allocated: 2F70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory allocated: 6C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory allocated: 17C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2AB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 28D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2780000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 26A0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\jbuESggTv0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599776 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599430 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598209 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597966 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597733 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597612 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597495 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597043 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596389 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594421 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597032 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596907 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595123 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594235 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2021 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7830 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 7057 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Window / User API: threadDelayed 2784 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\jbuESggTv0.exe TID: 7320 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe TID: 7332 Thread sleep count: 215 > 30 Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe TID: 7348 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824 Thread sleep count: 2021 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824 Thread sleep count: 7830 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599776s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599430s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599203s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -599093s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598874s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598209s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597966s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597841s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597733s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597612s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597495s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -597043s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596499s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596389s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596281s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596171s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595843s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595624s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595296s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -594968s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -594859s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -594750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -594640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -594531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7820 Thread sleep time: -594421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 7776 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 7780 Thread sleep count: 193 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe TID: 7796 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7928 Thread sleep count: 7057 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7928 Thread sleep count: 2784 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599172s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598938s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597469s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -597032s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596907s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596782s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596563s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -596063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595719s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595500s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595266s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -595123s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7924 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599776 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599430 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598209 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597966 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597733 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597612 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597495 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597043 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596389 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594421 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 597032 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596907 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 596063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 595123 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread delayed: delay time: 594235 Jump to behavior
Source: wscript.exe, 00000004.00000002.1594613273.0000014D79C44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: svcost.exe, 00000005.00000002.1711136967.0000000003293000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: svcost.exe, 00000005.00000002.1711136967.0000000003293000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: InstallUtil.exe, 00000006.00000002.3817176112.0000000000A17000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: InstallUtil.exe, 00000003.00000002.3817322474.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_05647D90 LdrInitializeThunk, 3_2_05647D90
Enables debug privileges
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 9F6008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\jbuESggTv0.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Roaming\svcost.exe "C:\Users\user\AppData\Roaming\svcost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\jbuESggTv0.exe Queries volume information: C:\Users\user\Desktop\jbuESggTv0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Queries volume information: C:\Users\user\AppData\Roaming\svcost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svcost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jbuESggTv0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3819753587.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3819172841.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3819753587.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3819172841.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7864, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.jbuESggTv0.exe.4235570.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jbuESggTv0.exe.4235570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3816754828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3819753587.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1593158495.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3819172841.0000000002949000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1721691566.00000000043BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1593158495.00000000042B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3819753587.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3819172841.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jbuESggTv0.exe PID: 7252, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svcost.exe PID: 7740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7864, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562382 Sample: jbuESggTv0.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 27 reallyfreegeoip.org 2->27 29 checkip.dyndns.org 2->29 31 checkip.dyndns.com 2->31 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 45 9 other signatures 2->45 8 jbuESggTv0.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 43 Tries to detect the country of the analysis system (by using the IP) 27->43 process4 file5 23 C:\Users\user\AppData\Roaming\svcost.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\Roaming\...\svcost.vbs, ASCII 8->25 dropped 51 Drops VBS files to the startup folder 8->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->53 55 Writes to foreign memory regions 8->55 59 2 other signatures 8->59 14 InstallUtil.exe 15 2 8->14         started        57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->57 18 svcost.exe 2 12->18         started        signatures6 process7 dnsIp8 33 checkip.dyndns.com 158.101.44.242, 49760, 49778, 49785 ORACLE-BMC-31898US United States 14->33 35 reallyfreegeoip.org 172.67.177.134, 443, 49766, 49772 CLOUDFLARENETUS United States 14->35 61 Tries to steal Mail credentials (via file / registry access) 14->61 63 Antivirus detection for dropped file 18->63 65 Machine Learning detection for dropped file 18->65 20 InstallUtil.exe 2 18->20         started        signatures9 process10 signatures11 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
172.67.177.134
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 172.67.177.134 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.75 false
    		high
    http://checkip.dyndns.org/ false
      		high