Windows Analysis Report 3182473663947752.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: 3182473663947752.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3182473663947752.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05400F44
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05400F50
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057BE8DAh	0_2_057BE728
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057BE8DAh	0_2_057BE71B
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_057EF6E0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_057EF6D9
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057E0B8Eh	0_2_057E0978
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057E0B8Eh	0_2_057E0988
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057E0B8Eh	0_2_057E0B46

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 77.105.36.190:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 77.105.36.190:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pecrkva.rs

Source: 3182473663947752.exe	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: 3182473663947752.exe	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: 3182473663947752.exe	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: 3182473663947752.exe	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pecrkva.rs
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: 3182473663947752.exe	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, l8rGfzxi.cs

.Net Code: MCNeeT6TvU

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED7A8 NtWriteVirtualMemory,	0_2_057ED7A8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED638 NtAllocateVirtualMemory,	0_2_057ED638
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED930 NtUnmapViewOfSection,	0_2_057ED930
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDBD8 NtResumeThread,	0_2_057EDBD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDA68 NtSetContextThread,	0_2_057EDA68
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED7A0 NtWriteVirtualMemory,	0_2_057ED7A0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED630 NtAllocateVirtualMemory,	0_2_057ED630
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED928 NtUnmapViewOfSection,	0_2_057ED928
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDBD1 NtResumeThread,	0_2_057EDBD1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDA60 NtSetContextThread,	0_2_057EDA60

Detected potential crypto function

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31960	0_2_02C31960
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C333BA	0_2_02C333BA
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31930	0_2_02C31930
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C32CF8	0_2_02C32CF8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C32D08	0_2_02C32D08
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_054026A0	0_2_054026A0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540AC10	0_2_0540AC10
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05405E2C	0_2_05405E2C
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05404A2F	0_2_05404A2F
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05402690	0_2_05402690
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05408F02	0_2_05408F02
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540FEBB	0_2_0540FEBB
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540F9A8	0_2_0540F9A8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540F9B8	0_2_0540F9B8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05404A37	0_2_05404A37
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558BCD0	0_2_0558BCD0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558F798	0_2_0558F798
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05580398	0_2_05580398
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05580970	0_2_05580970
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05588900	0_2_05588900
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558C007	0_2_0558C007
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_055888F1	0_2_055888F1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558038A	0_2_0558038A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558D2E8	0_2_0558D2E8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057BBDB8	0_2_057BBDB8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E7860	0_2_057E7860
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E00DD	0_2_057E00DD
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E5363	0_2_057E5363
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E0978	0_2_057E0978
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E0988	0_2_057E0988
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E7851	0_2_057E7851
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E0B46	0_2_057E0B46
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E8AE0	0_2_057E8AE0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E8AD0	0_2_057E8AD0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0590DB50	0_2_0590DB50
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_058F0007	0_2_058F0007
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_058F0040	0_2_058F0040
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_018741C8	2_2_018741C8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_01874A98	2_2_01874A98
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0187CDD8	2_2_0187CDD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_01873E80	2_2_01873E80
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_068356B8	2_2_068356B8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06833F28	2_2_06833F28
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0683BCD0	2_2_0683BCD0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0683DCD8	2_2_0683DCD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06839AB0	2_2_06839AB0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06832AF8	2_2_06832AF8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06838B60	2_2_06838B60
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06830040	2_2_06830040
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06834FD8	2_2_06834FD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06833223	2_2_06833223

Sample file is different than original file name gathered from version info

Source: 3182473663947752.exe, 00000000.00000000.1706264744.0000000000342000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAzdmyxofdr.exe" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24cefc5a-92d7-4b8a-bdbc-e3f0fe1543b8.exe4 vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000004372000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1715922084.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24cefc5a-92d7-4b8a-bdbc-e3f0fe1543b8.exe4 vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1729671070.00000000051C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000002.00000002.2963973186.00000000012F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000002.00000002.2963800861.000000000043E000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24cefc5a-92d7-4b8a-bdbc-e3f0fe1543b8.exe4 vs 3182473663947752.exe
Source: 3182473663947752.exe	Binary or memory string: OriginalFilenameAzdmyxofdr.exe" vs 3182473663947752.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: msasn1.dll	Jump to behavior

Source: 3182473663947752.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, arzrv9AWTXK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, arzrv9AWTXK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, InmxgXcIi8d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, InmxgXcIi8d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\3182473663947752.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3182473663947752.exe.log

Source: C:\Users\user\Desktop\3182473663947752.exe

Mutant created: NULL

Source: 3182473663947752.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3182473663947752.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\3182473663947752.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\3182473663947752.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 3182473663947752.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe
Source: C:\Users\user\Desktop\3182473663947752.exe	Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe
Source: C:\Users\user\Desktop\3182473663947752.exe	Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe	Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\3182473663947752.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\3182473663947752.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains potential unpacker

Source: 3182473663947752.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3182473663947752.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 3182473663947752.exe

Static file information: File size 3817472 > 1048576

Source: 3182473663947752.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3a3600

Source: 3182473663947752.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.3182473663947752.exe.4850e80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4800e60.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.5590000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4800e60.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.48f0ea0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1731699605.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3723C push ds; ret	0_2_02C37241
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C308A0 pushfd ; retf	0_2_02C308A1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3184B push cs; ret	0_2_02C3185A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3185B push cs; ret	0_2_02C31866
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31873 push cs; ret	0_2_02C3187E
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31807 push cs; ret	0_2_02C3180E
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3180F push ss; ret	0_2_02C31816
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31823 push cs; ret	0_2_02C31826
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3183F push cs; ret	0_2_02C31842
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C316D3 push ss; ret	0_2_02C316DA
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C30E1F push es; iretd	0_2_02C30E2A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31797 push ss; ret	0_2_02C317A2
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31743 push ss; ret	0_2_02C3174A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31713 push cs; ret	0_2_02C31716
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31737 push 0000000Bh; ret	0_2_02C31742
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_054014A0 pushfd ; ret	0_2_054014A1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05402168 push eax; retf	0_2_05402169
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540CDF0 pushad ; iretd	0_2_0540CDF1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558A55A pushad ; retf	0_2_0558A561
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05583EE8 pushfd ; retf	0_2_05583EFF
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057B9F64 push es; iretd	0_2_057B9F67
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057B6B40 push esp; retf 0565h	0_2_057B6B4D
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ECCC4 push cs; ret	0_2_057ECCC5
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_058F656D push edi; retf	0_2_058F656E
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0187FFA0 push es; ret	2_2_0187FFB0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\3182473663947752.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\3182473663947752.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 51A0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\3182473663947752.exe	Window / User API: threadDelayed 1706			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Window / User API: threadDelayed 8105			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7684	Thread sleep count: 1706 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7684	Thread sleep count: 8105 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98365s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98735s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\3182473663947752.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99762	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98365	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98735	Jump to behavior

Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\3182473663947752.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\3182473663947752.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\3182473663947752.exe

Memory written: C:\Users\user\Desktop\3182473663947752.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\3182473663947752.exe

Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Users\user\Desktop\3182473663947752.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Users\user\Desktop\3182473663947752.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.0000000003218000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7560, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.40f2420.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.51c0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.51c0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.40f2420.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1719299161.00000000040E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729671070.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\3182473663947752.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7560, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.0000000003218000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7560, type: MEMORYSTR

Found malware configuration

Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.40f2420.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.51c0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.51c0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.40f2420.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1719299161.00000000040E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729671070.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.105.36.190	pecrkva.rs	Serbia		9125	ORIONTELEKOM-ASRS	false

Contacted Domains

Name	IP	Active
pecrkva.rs	77.105.36.190	true

AV Detection

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "pecrkva.rs", "Username": "info@pecrkva.rs", "Password": "CrkvenaSifra008"}

Multi AV Scanner detection for submitted file

Source: 3182473663947752.exe

ReversingLabs: Detection: 18%

Machine Learning detection for sample

Source: 3182473663947752.exe

Joe Sandbox ML: detected

Found inlined nop instructions (likely shell or obfuscated code)

Source: 3182473663947752.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3182473663947752.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05400F44
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05400F50
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057BE8DAh	0_2_057BE728
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057BE8DAh	0_2_057BE71B
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_057EF6E0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_057EF6D9
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057E0B8Eh	0_2_057E0978
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057E0B8Eh	0_2_057E0988
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 4x nop then jmp 057E0B8Eh	0_2_057E0B46

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 77.105.36.190:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 77.105.36.190:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pecrkva.rs

Source: 3182473663947752.exe	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: 3182473663947752.exe	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: 3182473663947752.exe	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: 3182473663947752.exe	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pecrkva.rs
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: 3182473663947752.exe	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: 3182473663947752.exe	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 3182473663947752.exe, 00000002.00000002.2973938967.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2974248541.0000000005904000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.000000000322A000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2966199143.00000000031F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, l8rGfzxi.cs

.Net Code: MCNeeT6TvU

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED7A8 NtWriteVirtualMemory,	0_2_057ED7A8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED638 NtAllocateVirtualMemory,	0_2_057ED638
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED930 NtUnmapViewOfSection,	0_2_057ED930
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDBD8 NtResumeThread,	0_2_057EDBD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDA68 NtSetContextThread,	0_2_057EDA68
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED7A0 NtWriteVirtualMemory,	0_2_057ED7A0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED630 NtAllocateVirtualMemory,	0_2_057ED630
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ED928 NtUnmapViewOfSection,	0_2_057ED928
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDBD1 NtResumeThread,	0_2_057EDBD1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057EDA60 NtSetContextThread,	0_2_057EDA60

Detected potential crypto function

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31960	0_2_02C31960
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C333BA	0_2_02C333BA
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31930	0_2_02C31930
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C32CF8	0_2_02C32CF8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C32D08	0_2_02C32D08
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_054026A0	0_2_054026A0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540AC10	0_2_0540AC10
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05405E2C	0_2_05405E2C
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05404A2F	0_2_05404A2F
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05402690	0_2_05402690
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05408F02	0_2_05408F02
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540FEBB	0_2_0540FEBB
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540F9A8	0_2_0540F9A8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540F9B8	0_2_0540F9B8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05404A37	0_2_05404A37
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558BCD0	0_2_0558BCD0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558F798	0_2_0558F798
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05580398	0_2_05580398
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05580970	0_2_05580970
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05588900	0_2_05588900
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558C007	0_2_0558C007
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_055888F1	0_2_055888F1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558038A	0_2_0558038A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558D2E8	0_2_0558D2E8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057BBDB8	0_2_057BBDB8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E7860	0_2_057E7860
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E00DD	0_2_057E00DD
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E5363	0_2_057E5363
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E0978	0_2_057E0978
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E0988	0_2_057E0988
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E7851	0_2_057E7851
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E0B46	0_2_057E0B46
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E8AE0	0_2_057E8AE0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057E8AD0	0_2_057E8AD0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0590DB50	0_2_0590DB50
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_058F0007	0_2_058F0007
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_058F0040	0_2_058F0040
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_018741C8	2_2_018741C8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_01874A98	2_2_01874A98
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0187CDD8	2_2_0187CDD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_01873E80	2_2_01873E80
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_068356B8	2_2_068356B8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06833F28	2_2_06833F28
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0683BCD0	2_2_0683BCD0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0683DCD8	2_2_0683DCD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06839AB0	2_2_06839AB0
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06832AF8	2_2_06832AF8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06838B60	2_2_06838B60
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06830040	2_2_06830040
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06834FD8	2_2_06834FD8
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_06833223	2_2_06833223

Sample file is different than original file name gathered from version info

Source: 3182473663947752.exe, 00000000.00000000.1706264744.0000000000342000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAzdmyxofdr.exe" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.00000000040E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24cefc5a-92d7-4b8a-bdbc-e3f0fe1543b8.exe4 vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000004372000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1715922084.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24cefc5a-92d7-4b8a-bdbc-e3f0fe1543b8.exe4 vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1729671070.00000000051C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAulifddzfcf.dll" vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000002.00000002.2963973186.00000000012F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 3182473663947752.exe
Source: 3182473663947752.exe, 00000002.00000002.2963800861.000000000043E000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename24cefc5a-92d7-4b8a-bdbc-e3f0fe1543b8.exe4 vs 3182473663947752.exe
Source: 3182473663947752.exe	Binary or memory string: OriginalFilenameAzdmyxofdr.exe" vs 3182473663947752.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Section loaded: msasn1.dll	Jump to behavior

Source: 3182473663947752.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, N1EZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, arzrv9AWTXK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, arzrv9AWTXK.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, InmxgXcIi8d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, InmxgXcIi8d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\3182473663947752.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3182473663947752.exe.log

Source: C:\Users\user\Desktop\3182473663947752.exe

Mutant created: NULL

Source: 3182473663947752.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3182473663947752.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\3182473663947752.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\3182473663947752.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 3182473663947752.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe
Source: C:\Users\user\Desktop\3182473663947752.exe	Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe
Source: C:\Users\user\Desktop\3182473663947752.exe	Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe	Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\3182473663947752.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\3182473663947752.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

.NET source code contains potential unpacker

Source: 3182473663947752.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3182473663947752.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 3182473663947752.exe

Static file information: File size 3817472 > 1048576

Source: 3182473663947752.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3a3600

Source: 3182473663947752.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003FEF000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732737643.0000000005850000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.0000000003ED4000.00000004.00000800.00020000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1732177439.0000000005760000.00000004.08000000.00040000.00000000.sdmp, 3182473663947752.exe, 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.3182473663947752.exe.3fef3a0.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.3182473663947752.exe.4850e80.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4800e60.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.5590000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4800e60.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.48f0ea0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1731699605.0000000005590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.00000000048F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3723C push ds; ret	0_2_02C37241
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C308A0 pushfd ; retf	0_2_02C308A1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3184B push cs; ret	0_2_02C3185A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3185B push cs; ret	0_2_02C31866
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31873 push cs; ret	0_2_02C3187E
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31807 push cs; ret	0_2_02C3180E
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3180F push ss; ret	0_2_02C31816
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31823 push cs; ret	0_2_02C31826
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C3183F push cs; ret	0_2_02C31842
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C316D3 push ss; ret	0_2_02C316DA
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C30E1F push es; iretd	0_2_02C30E2A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31797 push ss; ret	0_2_02C317A2
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31743 push ss; ret	0_2_02C3174A
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31713 push cs; ret	0_2_02C31716
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_02C31737 push 0000000Bh; ret	0_2_02C31742
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_054014A0 pushfd ; ret	0_2_054014A1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05402168 push eax; retf	0_2_05402169
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0540CDF0 pushad ; iretd	0_2_0540CDF1
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_0558A55A pushad ; retf	0_2_0558A561
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_05583EE8 pushfd ; retf	0_2_05583EFF
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057B9F64 push es; iretd	0_2_057B9F67
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057B6B40 push esp; retf 0565h	0_2_057B6B4D
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_057ECCC4 push cs; ret	0_2_057ECCC5
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 0_2_058F656D push edi; retf	0_2_058F656E
Source: C:\Users\user\Desktop\3182473663947752.exe	Code function: 2_2_0187FFA0 push es; ret	2_2_0187FFB0

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\3182473663947752.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\3182473663947752.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 1870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Memory allocated: 51A0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\3182473663947752.exe	Window / User API: threadDelayed 1706			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Window / User API: threadDelayed 8105			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7684	Thread sleep count: 1706 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7684	Thread sleep count: 8105 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98365s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -99110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe TID: 7664	Thread sleep time: -98735s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\3182473663947752.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\3182473663947752.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99762	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98365	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99610	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99485	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99360	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99235	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 99110	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98985	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Thread delayed: delay time: 98735	Jump to behavior

Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 3182473663947752.exe, 00000000.00000002.1716681279.0000000002D9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: 3182473663947752.exe, 00000002.00000002.2964180539.00000000014C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\3182473663947752.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\3182473663947752.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe

Memory allocated: page read and write | page guard

Injects a PE file into a foreign processes

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\3182473663947752.exe

Memory written: C:\Users\user\Desktop\3182473663947752.exe base: 400000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\3182473663947752.exe

Process created: C:\Users\user\Desktop\3182473663947752.exe C:\Users\user\Desktop\3182473663947752.exe

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Users\user\Desktop\3182473663947752.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Users\user\Desktop\3182473663947752.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3182473663947752.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.0000000003218000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7560, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.40f2420.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.51c0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.51c0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.40f2420.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4372440.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1719299161.00000000040E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729671070.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\3182473663947752.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\3182473663947752.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7560, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3182473663947752.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.4088260.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3182473663947752.exe.2eab60c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.0000000003218000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2963531858.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000004072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2966199143.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716681279.0000000002E7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1719299161.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3182473663947752.exe PID: 7560, type: MEMORYSTR