Windows Analysis Report
yMHzNMo3xY.exe

AV Detection

Source: yMHzNMo3xY.exe

Avira: detected

Source: 1.2.yMHzNMo3xY.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp5ua.hyperhost.ua", "Username": "prosperlog@steuler-kch.org", "Password": " 7213575aceACE@# "}

Source: yMHzNMo3xY.exe	ReversingLabs: Detection: 31%
Source: yMHzNMo3xY.exe	Virustotal: Detection: 37%			Perma Link

Source: yMHzNMo3xY.exe

Joe Sandbox ML: detected

Compliance

Source: yMHzNMo3xY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: yMHzNMo3xY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: yMHzNMo3xY.exe, 00000000.00000002.1656249047.0000000005190000.00000004.08000000.00040000.00000000.sdmp, yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmp

Networking

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 91.235.128.141:587

Source: Joe Sandbox View

IP Address: 91.235.128.141 91.235.128.141

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 91.235.128.141:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: cp5ua.hyperhost.ua

Source: yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp5ua.hyperhost.ua
Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2889899904.0000000006170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2889899904.0000000006170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: yMHzNMo3xY.exe, 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: yMHzNMo3xY.exe, 00000001.00000002.2889945887.00000000061B6000.00000004.00000020.00020000.00000000.sdmp, yMHzNMo3xY.exe, 00000001.00000002.2887031548.00000000029F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, NDL2m67zO.cs	.Net Code: xEQ1ZU
Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, NDL2m67zO.cs	.Net Code: xEQ1ZU

System Summary

Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.39edd90.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.4f20000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.yMHzNMo3xY.exe.298f288.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 0_2_0295AA60		0_2_0295AA60
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 0_2_02959188		0_2_02959188
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04EC3E88		1_2_04EC3E88
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04EC4AA0		1_2_04EC4AA0
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04EC9B28		1_2_04EC9B28
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04EC41D0		1_2_04EC41D0
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04ECD280		1_2_04ECD280
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04EC0CB5		1_2_04EC0CB5
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04EC0D24		1_2_04EC0D24
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F8BD10		1_2_05F8BD10
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F8DCCD		1_2_05F8DCCD
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F83F40		1_2_05F83F40
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F82EF8		1_2_05F82EF8
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F856D0		1_2_05F856D0
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F80040		1_2_05F80040
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F88B78		1_2_05F88B78
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F89AF0		1_2_05F89AF0
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F84FF0		1_2_05F84FF0
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_05F8362F		1_2_05F8362F
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Code function: 1_2_04ECD278		1_2_04ECD278

Source: yMHzNMo3xY.exe, 00000000.00000000.1649655296.000000000057E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebitsadmin.exel% vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000000.00000002.1656249047.0000000005190000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000000.00000002.1653184883.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000000.00000002.1653947225.0000000003985000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec8974acb-3a71-4081-a494-e71aa35deda7.exe4 vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec8974acb-3a71-4081-a494-e71aa35deda7.exe4 vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec8974acb-3a71-4081-a494-e71aa35deda7.exe4 vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe, 00000001.00000002.2886283255.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs yMHzNMo3xY.exe
Source: yMHzNMo3xY.exe	Binary or memory string: OriginalFilenamebitsadmin.exel% vs yMHzNMo3xY.exe

Source: yMHzNMo3xY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.yMHzNMo3xY.exe.39edd90.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yMHzNMo3xY.exe.4f20000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.yMHzNMo3xY.exe.298f288.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.1654591793.0000000004F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector

Source: yMHzNMo3xY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.yMHzNMo3xY.exe.4f20000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.yMHzNMo3xY.exe.39edd90.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yMHzNMo3xY.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Mutant created: NULL

Source: yMHzNMo3xY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yMHzNMo3xY.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yMHzNMo3xY.exe	ReversingLabs: Detection: 31%
Source: yMHzNMo3xY.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Section loaded: msasn1.dll			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: yMHzNMo3xY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: yMHzNMo3xY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: yMHzNMo3xY.exe, 00000000.00000002.1656249047.0000000005190000.00000004.08000000.00040000.00000000.sdmp, yMHzNMo3xY.exe, 00000000.00000002.1653831470.0000000002981000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: yMHzNMo3xY.exe

Static PE information: 0xF952DBE8 [Fri Jul 21 20:30:32 2102 UTC]

Source: yMHzNMo3xY.exe

Static PE information: section name: .text entropy: 7.797131240569471

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Yara match

File source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Memory allocated: 2910000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Memory allocated: 2980000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Memory allocated: 4980000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Memory allocated: 2970000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Memory allocated: 29A0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Memory allocated: 49A0000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Window / User API: threadDelayed 1296			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Window / User API: threadDelayed 8569			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7452	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -25825441703193356s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -100000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7560	Thread sleep count: 1296 > 30			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99886s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7560	Thread sleep count: 8569 > 30			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99764s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99656s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99547s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99437s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99328s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99219s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -99094s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98984s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98875s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98762s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98656s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98547s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98401s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98297s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98188s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -98076s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97969s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97860s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97735s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97610s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97485s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97343s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97234s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97125s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -97016s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96906s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96797s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96679s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96563s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96453s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96344s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96234s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96125s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -96016s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95906s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95797s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95685s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95578s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95469s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95360s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95235s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -95110s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -94993s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -94875s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -94766s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -94656s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -94547s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe TID: 7552	Thread sleep time: -94438s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 100000			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99886			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99764			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99656			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99547			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99437			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99328			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99219			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 99094			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98984			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98875			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98762			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98656			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98547			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98401			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98297			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98188			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 98076			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97969			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97860			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97735			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97610			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97485			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97343			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97234			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97125			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 97016			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96906			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96797			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96679			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96563			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96453			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96344			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96234			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96125			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 96016			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95906			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95797			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95685			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95578			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95469			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95360			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95235			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 95110			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 94993			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 94875			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 94766			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 94656			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 94547			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Thread delayed: delay time: 94438			Jump to behavior

Source: yMHzNMo3xY.exe, 00000001.00000002.2889899904.0000000006170000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, W4ip.cs	Reference to suspicious API methods: ve645LMXEKU.OpenProcess(lUA9OgW.DuplicateHandle, bInheritHandle: true, (uint)aT9Qdac.ProcessID)
Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.yMHzNMo3xY.exe.2991ac8.1.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Memory written: C:\Users\user\Desktop\yMHzNMo3xY.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Process created: C:\Users\user\Desktop\yMHzNMo3xY.exe "C:\Users\user\Desktop\yMHzNMo3xY.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Users\user\Desktop\yMHzNMo3xY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Users\user\Desktop\yMHzNMo3xY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2887031548.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2887031548.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yMHzNMo3xY.exe PID: 7460, type: MEMORYSTR

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini			Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles			Jump to behavior
Source: C:\Users\user\Desktop\yMHzNMo3xY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior

Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yMHzNMo3xY.exe PID: 7460, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3b0a420.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.yMHzNMo3xY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3b0a420.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yMHzNMo3xY.exe.3acf9f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2887031548.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2887031548.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2886135296.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2887031548.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1653947225.0000000003A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yMHzNMo3xY.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yMHzNMo3xY.exe PID: 7460, type: MEMORYSTR