Windows Analysis Report 2MUAWaJNFk.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: 2MUAWaJNFk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD704D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6C91
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD4FF8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD5835
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD71B5
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD70FF
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD807F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD7302
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD731F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD72A9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6DC6
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD696C
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD597B
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD58F2
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6B94
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD5A9A
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD5A79
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6A5D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FAC1Ah	0_2_074F9E20
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074F9E20
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074FAC6D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074FAC6B
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074FAC76
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074F74B1h	0_2_074F7499
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 07563AE2h	0_2_075639C8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 07563AE2h	0_2_07563918
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 07563AE2h	0_2_075639B9

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2051910 ET TROJAN Arechclient2 Backdoor/SecTopRAT Related Activity 192.168.2.6:49699 -> 213.109.202.229:15647
Source: Traffic	Snort IDS: 2029217 ET TROJAN Arechclient2 Backdoor/SecTopRAT CnC Init 213.109.202.229:15647 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2051910 ET TROJAN Arechclient2 Backdoor/SecTopRAT Related Activity 192.168.2.6:49709 -> 213.109.202.229:15647
Source: Traffic	Snort IDS: 2029217 ET TROJAN Arechclient2 Backdoor/SecTopRAT CnC Init 213.109.202.229:15647 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2051910 ET TROJAN Arechclient2 Backdoor/SecTopRAT Related Activity 192.168.2.6:49710 -> 213.109.202.229:15647
Source: Traffic	Snort IDS: 2029217 ET TROJAN Arechclient2 Backdoor/SecTopRAT CnC Init 213.109.202.229:15647 -> 192.168.2.6:49710

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.109.202.229 ports 1,4,5,6,7,15647

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 213.109.202.229:15647

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UA-LINK-ASUA UA-LINK-ASUA

Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229

Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ENEhYpTW

System Summary

Malicious sample detected (through community Yara rule)

Source: 2MUAWaJNFk.exe, type: SAMPLE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017611B0	0_2_017611B0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01768518	0_2_01768518
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01766454	0_2_01766454
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176A750	0_2_0176A750
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176F808	0_2_0176F808
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176ED61	0_2_0176ED61
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01768DB8	0_2_01768DB8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01763EA0	0_2_01763EA0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017611A1	0_2_017611A1
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017632C4	0_2_017632C4
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176329D	0_2_0176329D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017664A9	0_2_017664A9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176A71D	0_2_0176A71D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176F7F6	0_2_0176F7F6
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01768DA9	0_2_01768DA9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01763E77	0_2_01763E77
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD8DB8	0_2_05AD8DB8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD4FF8	0_2_05AD4FF8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05ADEA08	0_2_05ADEA08
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD27A5	0_2_05AD27A5
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD27C0	0_2_05AD27C0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD0006	0_2_05AD0006
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD0040	0_2_05AD0040
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD4FE8	0_2_05AD4FE8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07393B80	0_2_07393B80
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0739EE28	0_2_0739EE28
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073926D8	0_2_073926D8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073952C8	0_2_073952C8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07399AC8	0_2_07399AC8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073965A4	0_2_073965A4
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07392C15	0_2_07392C15
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07390040	0_2_07390040
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073948AF	0_2_073948AF
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07399B90	0_2_07399B90
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07393210	0_2_07393210
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07394688	0_2_07394688
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07390007	0_2_07390007
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07398C77	0_2_07398C77
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07398C9D	0_2_07398C9D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0739D08B	0_2_0739D08B
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073968F5	0_2_073968F5
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9550	0_2_074F9550
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F6500	0_2_074F6500
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F8FCE	0_2_074F8FCE
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FB3E8	0_2_074FB3E8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F37F8	0_2_074F37F8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F7780	0_2_074F7780
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F8668	0_2_074F8668
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9E20	0_2_074F9E20
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F4ED0	0_2_074F4ED0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F7743	0_2_074F7743
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F1340	0_2_074F1340
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9540	0_2_074F9540
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F776F	0_2_074F776F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F1330	0_2_074F1330
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FDBDA	0_2_074FDBDA
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FB3D8	0_2_074FB3D8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F37E9	0_2_074F37E9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F41E8	0_2_074F41E8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9DE3	0_2_074F9DE3
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F41F8	0_2_074F41F8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F05A8	0_2_074F05A8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F0040	0_2_074F0040
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F8658	0_2_074F8658
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F0006	0_2_074F0006
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FDC10	0_2_074FDC10
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F2AA8	0_2_074F2AA8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F4EBF	0_2_074F4EBF
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756AB60	0_2_0756AB60
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_075642FD	0_2_075642FD
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756994A	0_2_0756994A
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_075674D8	0_2_075674D8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07567888	0_2_07567888
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07563358	0_2_07563358
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756AB4C	0_2_0756AB4C
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756787F	0_2_0756787F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07567492	0_2_07567492

Sample file is different than original file name gathered from version info

Source: 2MUAWaJNFk.exe, 00000000.00000002.4524685756.0000000001581000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\OriginalFilenameclr.dllT vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe, 00000000.00000002.4524685756.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe, 00000000.00000000.2055663294.0000000000E80000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebladfin.exe" vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe	Binary or memory string: OriginalFilenamebladfin.exe" vs 2MUAWaJNFk.exe

Source: 2MUAWaJNFk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2MUAWaJNFk.exe, type: SAMPLE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/16@0/1

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

File created: C:\Users\user\AppData\Local\Yandex

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3303.tmp

Source: 2MUAWaJNFk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2MUAWaJNFk.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 2MUAWaJNFk.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Uses code obfuscation techniques (call, push, ret)

Source: 2MUAWaJNFk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176E731 pushad ; iretd		0_2_0176E737
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756641D push ebx; iretd		0_2_0756641E

Source: 2MUAWaJNFk.exe

Static PE information: section name: .text entropy: 6.931561580665592

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Memory allocated: 1710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Memory allocated: 5180000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Window / User API: threadDelayed 7989			Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Window / User API: threadDelayed 1705			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -57301s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -59875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -48006s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -59766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -59654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -36643s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -48196s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -45309s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -58104s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -50033s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -37283s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -31593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -39807s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -42043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -52466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -47114s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -56517s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -48933s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -35169s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -30297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -44793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -59134s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32471s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -49374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -53016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -40847s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -33414s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -56729s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -46876s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 57301	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 48006	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32326	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59654	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 36643	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 48196	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 45309	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 58104	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 50033	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 37283	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 31593	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 39807	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32047	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 42043	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 52466	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 47114	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 56517	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 48933	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 35169	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 30297	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 44793	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59134	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32330	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32471	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 49374	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 53016	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 40847	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 33414	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 56729	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 46876	Jump to behavior

Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4524685756.000000000154F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003774000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003465000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.000000000353C000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.00000000036EB000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.00000000035E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Memory allocated: page read and write | page guard

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Users\user\Desktop\2MUAWaJNFk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: 2MUAWaJNFk.exe, 00000000.00000002.4532753447.000000000688B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Source: Yara match	File source: 2MUAWaJNFk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055572978.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match

File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 2MUAWaJNFk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055572978.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 2MUAWaJNFk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055572978.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: Yara match

File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.109.202.229	unknown	unknown		34359	UA-LINK-ASUA	true

AV Detection

Source: 2MUAWaJNFk.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2MUAWaJNFk.exe

ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: 2MUAWaJNFk.exe

Joe Sandbox ML: detected

Found inlined nop instructions (likely shell or obfuscated code)

Source: 2MUAWaJNFk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD704D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6C91
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD4FF8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD5835
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD71B5
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD70FF
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD807F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD7302
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD731F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD72A9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6DC6
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD696C
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD597B
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD58F2
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6B94
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD5A9A
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD5A79
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 05AD87CBh	0_2_05AD6A5D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FAC1Ah	0_2_074F9E20
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074F9E20
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074FAC6D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074FAC6B
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074FB346h	0_2_074FAC76
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 074F74B1h	0_2_074F7499
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 07563AE2h	0_2_075639C8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 07563AE2h	0_2_07563918
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 4x nop then jmp 07563AE2h	0_2_075639B9

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2051910 ET TROJAN Arechclient2 Backdoor/SecTopRAT Related Activity 192.168.2.6:49699 -> 213.109.202.229:15647
Source: Traffic	Snort IDS: 2029217 ET TROJAN Arechclient2 Backdoor/SecTopRAT CnC Init 213.109.202.229:15647 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2051910 ET TROJAN Arechclient2 Backdoor/SecTopRAT Related Activity 192.168.2.6:49709 -> 213.109.202.229:15647
Source: Traffic	Snort IDS: 2029217 ET TROJAN Arechclient2 Backdoor/SecTopRAT CnC Init 213.109.202.229:15647 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2051910 ET TROJAN Arechclient2 Backdoor/SecTopRAT Related Activity 192.168.2.6:49710 -> 213.109.202.229:15647
Source: Traffic	Snort IDS: 2029217 ET TROJAN Arechclient2 Backdoor/SecTopRAT CnC Init 213.109.202.229:15647 -> 192.168.2.6:49710

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 213.109.202.229 ports 1,4,5,6,7,15647

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 213.109.202.229:15647

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UA-LINK-ASUA UA-LINK-ASUA

Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.229

Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ENEhYpTW

System Summary

Malicious sample detected (through community Yara rule)

Source: 2MUAWaJNFk.exe, type: SAMPLE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017611B0	0_2_017611B0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01768518	0_2_01768518
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01766454	0_2_01766454
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176A750	0_2_0176A750
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176F808	0_2_0176F808
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176ED61	0_2_0176ED61
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01768DB8	0_2_01768DB8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01763EA0	0_2_01763EA0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017611A1	0_2_017611A1
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017632C4	0_2_017632C4
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176329D	0_2_0176329D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_017664A9	0_2_017664A9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176A71D	0_2_0176A71D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176F7F6	0_2_0176F7F6
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01768DA9	0_2_01768DA9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_01763E77	0_2_01763E77
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD8DB8	0_2_05AD8DB8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD4FF8	0_2_05AD4FF8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05ADEA08	0_2_05ADEA08
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD27A5	0_2_05AD27A5
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD27C0	0_2_05AD27C0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD0006	0_2_05AD0006
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD0040	0_2_05AD0040
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_05AD4FE8	0_2_05AD4FE8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07393B80	0_2_07393B80
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0739EE28	0_2_0739EE28
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073926D8	0_2_073926D8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073952C8	0_2_073952C8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07399AC8	0_2_07399AC8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073965A4	0_2_073965A4
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07392C15	0_2_07392C15
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07390040	0_2_07390040
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073948AF	0_2_073948AF
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07399B90	0_2_07399B90
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07393210	0_2_07393210
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07394688	0_2_07394688
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07390007	0_2_07390007
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07398C77	0_2_07398C77
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07398C9D	0_2_07398C9D
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0739D08B	0_2_0739D08B
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_073968F5	0_2_073968F5
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9550	0_2_074F9550
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F6500	0_2_074F6500
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F8FCE	0_2_074F8FCE
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FB3E8	0_2_074FB3E8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F37F8	0_2_074F37F8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F7780	0_2_074F7780
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F8668	0_2_074F8668
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9E20	0_2_074F9E20
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F4ED0	0_2_074F4ED0
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F7743	0_2_074F7743
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F1340	0_2_074F1340
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9540	0_2_074F9540
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F776F	0_2_074F776F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F1330	0_2_074F1330
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FDBDA	0_2_074FDBDA
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FB3D8	0_2_074FB3D8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F37E9	0_2_074F37E9
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F41E8	0_2_074F41E8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F9DE3	0_2_074F9DE3
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F41F8	0_2_074F41F8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F05A8	0_2_074F05A8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F0040	0_2_074F0040
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F8658	0_2_074F8658
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F0006	0_2_074F0006
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074FDC10	0_2_074FDC10
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F2AA8	0_2_074F2AA8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_074F4EBF	0_2_074F4EBF
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756AB60	0_2_0756AB60
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_075642FD	0_2_075642FD
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756994A	0_2_0756994A
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_075674D8	0_2_075674D8
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07567888	0_2_07567888
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07563358	0_2_07563358
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756AB4C	0_2_0756AB4C
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756787F	0_2_0756787F
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_07567492	0_2_07567492

Sample file is different than original file name gathered from version info

Source: 2MUAWaJNFk.exe, 00000000.00000002.4524685756.0000000001581000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\OriginalFilenameclr.dllT vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe, 00000000.00000002.4524685756.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe, 00000000.00000000.2055663294.0000000000E80000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebladfin.exe" vs 2MUAWaJNFk.exe
Source: 2MUAWaJNFk.exe	Binary or memory string: OriginalFilenamebladfin.exe" vs 2MUAWaJNFk.exe

Source: 2MUAWaJNFk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2MUAWaJNFk.exe, type: SAMPLE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/16@0/1

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

File created: C:\Users\user\AppData\Local\Yandex

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3303.tmp

Source: 2MUAWaJNFk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2MUAWaJNFk.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 2MUAWaJNFk.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Uses code obfuscation techniques (call, push, ret)

Source: 2MUAWaJNFk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0176E731 pushad ; iretd		0_2_0176E737
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Code function: 0_2_0756641D push ebx; iretd		0_2_0756641E

Source: 2MUAWaJNFk.exe

Static PE information: section name: .text entropy: 6.931561580665592

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Memory allocated: 1710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Memory allocated: 3180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Memory allocated: 5180000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Window / User API: threadDelayed 7989			Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Window / User API: threadDelayed 1705			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -57301s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -59875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -48006s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -59766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5664	Thread sleep time: -59654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -36643s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -48196s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -45309s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -58104s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -50033s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -37283s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -31593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -39807s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 5788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -42043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -52466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -47114s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -56517s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -48933s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -35169s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -30297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -44793s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -59134s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32330s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -32471s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -49374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -53016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -40847s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -33414s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -56729s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe TID: 7040	Thread sleep time: -46876s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 57301	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59875	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 48006	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59766	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32326	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59654	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 36643	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 48196	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 45309	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 58104	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 50033	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 37283	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 31593	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 39807	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32047	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 42043	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 52466	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 47114	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 56517	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 48933	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 35169	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 30297	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 44793	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 59134	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32330	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 32471	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 49374	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 53016	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 40847	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 33414	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 56729	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Thread delayed: delay time: 46876	Jump to behavior

Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4524685756.000000000154F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003774000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003465000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.000000000353C000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.00000000036EB000.00000004.00000800.00020000.00000000.sdmp, 2MUAWaJNFk.exe, 00000000.00000002.4525720717.00000000035E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 2MUAWaJNFk.exe, 00000000.00000002.4525720717.0000000003504000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 2MUAWaJNFk.exe, 00000000.00000002.4528964894.0000000004414000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Memory allocated: page read and write | page guard

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Users\user\Desktop\2MUAWaJNFk.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: 2MUAWaJNFk.exe, 00000000.00000002.4532753447.000000000688B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Source: Yara match	File source: 2MUAWaJNFk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055572978.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match

File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\2MUAWaJNFk.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 2MUAWaJNFk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055572978.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 2MUAWaJNFk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2MUAWaJNFk.exe.db0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055572978.0000000000DB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2MUAWaJNFk.exe PID: 5716, type: MEMORYSTR