Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Yanto v1.2.exe

Overview

General Information

Sample name:Yanto v1.2.exe
Analysis ID:1629495
MD5:a96437dbcc43f251b7fc23fa0649b25f
SHA1:7a811aa9429fa05a326fae3f639c171ee3abfa49
SHA256:ba5a20516de4e7659b70fb2c407700e530eb605120f57c9011b048182bf0f2ee
Tags:exeuser-PC3463
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to modify clipboard data
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Yanto v1.2.exe (PID: 2072 cmdline: "C:\Users\user\Desktop\Yanto v1.2.exe" MD5: A96437DBCC43F251B7FC23FA0649B25F)
    • Yanto v1.2.exe (PID: 5700 cmdline: "C:\Users\user\Desktop\Yanto v1.2.exe" MD5: A96437DBCC43F251B7FC23FA0649B25F)
    • WerFault.exe (PID: 3876 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 792 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["sdfwfsdf.icu", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "LPnhqo--txfbcyyurkpw"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        00000001.00000002.3480754455.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          Process Memory Space: Yanto v1.2.exe PID: 5700JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: Yanto v1.2.exe PID: 5700JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: Yanto v1.2.exe PID: 5700JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.2.Yanto v1.2.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  1.2.Yanto v1.2.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                    0.2.Yanto v1.2.exe.36c9550.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-04T20:12:23.049139+010020283713Unknown Traffic192.168.2.549721149.154.167.99443TCP
                      2025-03-04T20:12:23.867938+010020283713Unknown Traffic192.168.2.549728188.114.97.3443TCP
                      2025-03-04T20:12:27.968333+010020283713Unknown Traffic192.168.2.549755188.114.97.3443TCP
                      2025-03-04T20:12:48.593233+010020283713Unknown Traffic192.168.2.549882188.114.97.3443TCP
                      2025-03-04T20:12:49.720590+010020283713Unknown Traffic192.168.2.549891188.114.97.3443TCP
                      2025-03-04T20:12:50.850769+010020283713Unknown Traffic192.168.2.549898188.114.97.3443TCP
                      2025-03-04T20:13:11.708536+010020283713Unknown Traffic192.168.2.550000188.114.97.3443TCP
                      2025-03-04T20:13:13.086808+010020283713Unknown Traffic192.168.2.550001188.114.97.3443TCP
                      2025-03-04T20:13:15.071481+010020283713Unknown Traffic192.168.2.550002188.114.97.3443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-04T20:12:27.416593+010020546531A Network Trojan was detected192.168.2.549728188.114.97.3443TCP
                      2025-03-04T20:12:47.885558+010020546531A Network Trojan was detected192.168.2.549755188.114.97.3443TCP
                      2025-03-04T20:13:15.545924+010020546531A Network Trojan was detected192.168.2.550002188.114.97.3443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-04T20:12:27.416593+010020498361A Network Trojan was detected192.168.2.549728188.114.97.3443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-04T20:12:50.268136+010020480941Malware Command and Control Activity Detected192.168.2.549891188.114.97.3443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Yanto v1.2.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: gadgethgfub.icuAvira URL Cloud: Label: malware
                      Source: phygcsforum.lifeAvira URL Cloud: Label: malware
                      Source: techmindzs.liveAvira URL Cloud: Label: malware
                      Source: techspherxe.topAvira URL Cloud: Label: malware
                      Source: moderzysics.topAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["sdfwfsdf.icu", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "LPnhqo--txfbcyyurkpw"}
                      Multi AV Scanner detection for submitted file
                      Source: Yanto v1.2.exeVirustotal: Detection: 56%Perma Link
                      Source: Yanto v1.2.exeReversingLabs: Detection: 68%
                      Sample uses string decryption to hide its real strings
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: sdfwfsdf.icu
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: explorebieology.run
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: gadgethgfub.icu
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: moderzysics.top
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: techmindzs.live
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: codxefusion.top
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: phygcsforum.life
                      Source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmpString decryptor: techspherxe.top
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041CD3B CryptUnprotectData,1_2_0041CD3B
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49721 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49728 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49882 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49891 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49898 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50000 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50001 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50002 version: TLS 1.2
                      Source: Yanto v1.2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Windows.Forms.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: mscorlib.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: Initial.pdbH source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: System.pdb) source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: Initial.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: C:\Users\Admin\source\repos\Initial\Initial\obj\Release\Initial.pdb source: Yanto v1.2.exe
                      Source: Binary string: System.ni.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: System.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh1_2_0044D092
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp+04h], eax1_2_00447140
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h1_2_0044F110
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]1_2_0044F110
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp word ptr [edi+eax], 0000h1_2_0042A1D0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov word ptr [ecx], bx1_2_00450220
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-3BAFB92Ch]1_2_00431BB0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov byte ptr [edi], bl1_2_004124C8
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov byte ptr [edi], bl1_2_004124C8
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h1_2_0041CD3B
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+00000178h]1_2_0043A612
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then jmp ecx1_2_0044AEE0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]1_2_0044AF60
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h1_2_0041BF30
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-02h]1_2_00431040
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi-4E4A9AC8h]1_2_0044E850
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+14h]1_2_0044E850
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]1_2_0044B860
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax]1_2_0044B860
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax-49AF8ABEh]1_2_0044D007
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp word ptr [eax+edx+02h], 0000h1_2_0040F0C0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi-4E4A9AC8h]1_2_0044E8E0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+14h]1_2_0044E8E0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+ebp-000000A6h]1_2_0040C8A0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov byte ptr [edx], bl1_2_0040C8A0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov byte ptr [esp+ecx+0000015Ch], dl1_2_0040E0B5
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi-4E4A9AC8h]1_2_0044E970
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+14h]1_2_0044E970
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+6DFD4B04h]1_2_00422930
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh1_2_0044F990
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 7A542AABh1_2_0044F990
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp byte ptr [ebx+esi], 00000000h1_2_004329BE
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov ebx, eax1_2_00408AF0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+0000084Ah]1_2_0042F2F0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 03E94F29h1_2_0041D2B4
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then jmp eax1_2_0042F34F
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h1_2_00414312
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h1_2_00420332
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp+04h], ebx1_2_0041DB3A
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx-51BF41D6h]1_2_00439B91
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp], eax1_2_00439B91
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+0B86C702h]1_2_00423BA0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov byte ptr [esi], cl1_2_0043A3AC
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-02h]1_2_00431421
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]1_2_0040A430
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]1_2_0040A430
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx-51BF41D6h]1_2_00439C3F
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp], eax1_2_00439C3F
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], B7070F87h1_2_004144CB
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h1_2_004144CB
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx-51BF41D6h]1_2_00439C82
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp], eax1_2_00439C82
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov eax, ebx1_2_00425C80
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then jmp eax1_2_0044E489
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+10h]1_2_0041148F
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]1_2_00435CA0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+ebx-51BF41D6h]1_2_00439D5A
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp], eax1_2_00439D5A
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ecx, byte ptr [esp+edx-12h]1_2_0043856B
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi-4E4A9AC8h]1_2_0044E5C0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+14h]1_2_0044E5C0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov word ptr [eax], cx1_2_004345F1
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+7E9EC506h]1_2_0040DDFA
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax]1_2_0042B580
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h1_2_0041CDB0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]1_2_0041BE50
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov byte ptr [eax], cl1_2_00420E54
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-02h]1_2_00431676
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp], ecx1_2_00433E10
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ebx, byte ptr [edx]1_2_00443E30
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h1_2_0044F6D0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax+115A8F32h]1_2_0041EEF5
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi-4E4A9AC8h]1_2_0044E6B0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+14h]1_2_0044E6B0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov ecx, edi1_2_0041EEB6
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp+14h], eax1_2_00448F2D
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx ebp, byte ptr [esp+edx-0000008Ah]1_2_0044EF30
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then movzx eax, byte ptr [esp+esi-3E070A74h]1_2_0044DFC0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 4x nop then mov dword ptr [esp+3Ch], AEA6ACAEh1_2_00434F90

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49728 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49728 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49755 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49891 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50002 -> 188.114.97.3:443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: sdfwfsdf.icu
                      Source: Malware configuration extractorURLs: explorebieology.run
                      Source: Malware configuration extractorURLs: gadgethgfub.icu
                      Source: Malware configuration extractorURLs: moderzysics.top
                      Source: Malware configuration extractorURLs: techmindzs.live
                      Source: Malware configuration extractorURLs: codxefusion.top
                      Source: Malware configuration extractorURLs: phygcsforum.life
                      Source: Malware configuration extractorURLs: techspherxe.top
                      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                      Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                      Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49728 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49721 -> 149.154.167.99:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49755 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49898 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49882 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50000 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50001 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50002 -> 188.114.97.3:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49891 -> 188.114.97.3:443
                      Source: global trafficHTTP traffic detected: GET /kz_prokla1 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sdfwfsdf.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 55Host: sdfwfsdf.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CT1EF82YMEOEOJ6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12826Host: sdfwfsdf.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WEK103GUJ9MDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15050Host: sdfwfsdf.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZDTR4R0ARRMLAYVNVDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20576Host: sdfwfsdf.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WO9O4BXNMFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2417Host: sdfwfsdf.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PS8QPJO0H0DC1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570436Host: sdfwfsdf.icu
                      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: sdfwfsdf.icu
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /kz_prokla1 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                      Source: global trafficDNS traffic detected: DNS query: t.me
                      Source: global trafficDNS traffic detected: DNS query: sdfwfsdf.icu
                      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sdfwfsdf.icu
                      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                      Source: Yanto v1.2.exe, 00000001.00000002.3481463980.0000000000FD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/
                      Source: Yanto v1.2.exe, 00000001.00000002.3481463980.0000000000FD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/4os
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/api
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/apiM6
                      Source: Yanto v1.2.exe, 00000001.00000002.3481463980.0000000000FD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/apiore
                      Source: Yanto v1.2.exe, 00000001.00000002.3481463980.0000000000FD4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdfwfsdf.icu/ds
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49721 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49728 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49755 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49882 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49891 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49898 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50000 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50001 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:50002 version: TLS 1.2
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00441570 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,1_2_00441570
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_03391000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,1_2_03391000
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00441570 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,1_2_00441570
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00441D75 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,1_2_00441D75
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 0_2_00CF25E00_2_00CF25E0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004398EC1_2_004398EC
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004471401_2_00447140
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044D1BF1_2_0044D1BF
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044F2201_2_0044F220
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00431BB01_2_00431BB0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004124C81_2_004124C8
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0040BC801_2_0040BC80
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044FCA01_2_0044FCA0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00438D461_2_00438D46
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041FD791_2_0041FD79
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041CD3B1_2_0041CD3B
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00446DE01_2_00446DE0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00416DA81_2_00416DA8
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004187001_2_00418700
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041BF301_2_0041BF30
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042E7D61_2_0042E7D6
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00413FD61_2_00413FD6
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004010401_2_00401040
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004310401_2_00431040
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004218511_2_00421851
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044E8501_2_0044E850
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044B8601_2_0044B860
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004070061_2_00407006
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004048121_2_00404812
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004250201_2_00425020
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004260301_2_00426030
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004448391_2_00444839
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004090D01_2_004090D0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004298D01_2_004298D0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044E8E01_2_0044E8E0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004390E71_2_004390E7
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0040C8A01_2_0040C8A0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004268A01_2_004268A0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004498B31_2_004498B3
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004281401_2_00428140
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044515F1_2_0044515F
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0043E9601_2_0043E960
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044E9701_2_0044E970
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004229301_2_00422930
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042F1301_2_0042F130
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044F9901_2_0044F990
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004259A01_2_004259A0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0043F1A51_2_0043F1A5
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004179B51_2_004179B5
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004329BE1_2_004329BE
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044CA6D1_2_0044CA6D
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004182191_2_00418219
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00445AE51_2_00445AE5
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00408AF01_2_00408AF0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042F2F01_2_0042F2F0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00448AF01_2_00448AF0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041D2B41_2_0041D2B4
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004483401_2_00448340
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00402B501_2_00402B50
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004323791_2_00432379
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004393171_2_00439317
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0040FB201_2_0040FB20
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004413201_2_00441320
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004203321_2_00420332
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041DB3A1_2_0041DB3A
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00415BC41_2_00415BC4
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041E3CF1_2_0041E3CF
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004313D71_2_004313D7
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00438D461_2_00438D46
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00439B911_2_00439B91
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004223961_2_00422396
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042139D1_2_0042139D
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00430C501_2_00430C50
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004464601_2_00446460
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0043C4681_2_0043C468
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004314211_2_00431421
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0040A4301_2_0040A430
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00439C3F1_2_00439C3F
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00439C821_2_00439C82
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00425C801_2_00425C80
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044B4B01_2_0044B4B0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00414D501_2_00414D50
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00439D5A1_2_00439D5A
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004385031_2_00438503
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041F5321_2_0041F532
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044E5C01_2_0044E5C0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004375E01_2_004375E0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00432DEA1_2_00432DEA
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042EDF01_2_0042EDF0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004345F11_2_004345F1
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042B5801_2_0042B580
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004035901_2_00403590
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00407DB01_2_00407DB0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0040CDB01_2_0040CDB0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041CDB01_2_0041CDB0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004096501_2_00409650
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004316761_2_00431676
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0043D60F1_2_0043D60F
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042E6101_2_0042E610
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00433E101_2_00433E10
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0040AE301_2_0040AE30
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041D6391_2_0041D639
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004466C01_2_004466C0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00411ED01_2_00411ED0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0043B6D11_2_0043B6D1
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044F6D01_2_0044F6D0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0041EEF51_2_0041EEF5
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044E6B01_2_0044E6B0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0042AF201_2_0042AF20
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00448F2D1_2_00448F2D
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00403F301_2_00403F30
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00447F301_2_00447F30
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0040BFC01_2_0040BFC0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044DFC01_2_0044DFC0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0043DFFE1_2_0043DFFE
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00421F801_2_00421F80
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00434F901_2_00434F90
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004027A01_2_004027A0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_004117A01_2_004117A0
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: String function: 0041BF20 appears 127 times
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: String function: 0040B440 appears 42 times
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 792
                      Source: Yanto v1.2.exe, 00000000.00000002.2265640627.000000000089E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Yanto v1.2.exe
                      Source: Yanto v1.2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Yanto v1.2.exeStatic PE information: Section: .CSS ZLIB complexity 1.0003246265453296
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/5@2/2
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00447140 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,1_2_00447140
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2072
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\f651ca3d-f34a-4c58-9159-63b22b42c60dJump to behavior
                      Source: Yanto v1.2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Yanto v1.2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Yanto v1.2.exeVirustotal: Detection: 56%
                      Source: Yanto v1.2.exeReversingLabs: Detection: 68%
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile read: C:\Users\user\Desktop\Yanto v1.2.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Yanto v1.2.exe "C:\Users\user\Desktop\Yanto v1.2.exe"
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess created: C:\Users\user\Desktop\Yanto v1.2.exe "C:\Users\user\Desktop\Yanto v1.2.exe"
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 792
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess created: C:\Users\user\Desktop\Yanto v1.2.exe "C:\Users\user\Desktop\Yanto v1.2.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: Yanto v1.2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Yanto v1.2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Yanto v1.2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Windows.Forms.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: mscorlib.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: Initial.pdbH source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: System.pdb) source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: Initial.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: C:\Users\Admin\source\repos\Initial\Initial\obj\Release\Initial.pdb source: Yanto v1.2.exe
                      Source: Binary string: System.ni.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Binary string: System.pdb source: WERCB42.tmp.dmp.5.dr
                      Source: Yanto v1.2.exeStatic PE information: 0xE13E9B06 [Sat Oct 1 03:41:58 2089 UTC]
                      Source: Yanto v1.2.exeStatic PE information: section name: .CSS
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00400000 push ss; retf 1_2_00400081
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00454885 push ds; iretd 1_2_00454887
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_00452401 push edi; ret 1_2_00452414
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeWindow / User API: threadDelayed 4301Jump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exe TID: 5552Thread sleep time: -150000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exe TID: 5284Thread sleep count: 4301 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeLast function: Thread delayed
                      Source: Amcache.hve.5.drBinary or memory string: VMware
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Yanto v1.2.exe, 00000001.00000002.3481145169.0000000000F3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeAPI call chain: ExitProcess graph end nodegraph_1-23361
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 1_2_0044CF20 LdrInitializeThunk,1_2_0044CF20
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 0_2_026C212D mov edi, dword ptr fs:[00000030h]0_2_026C212D
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 0_2_026C22AA mov edi, dword ptr fs:[00000030h]0_2_026C22AA
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeCode function: 0_2_026C212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_026C212D
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeMemory written: C:\Users\user\Desktop\Yanto v1.2.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeProcess created: C:\Users\user\Desktop\Yanto v1.2.exe "C:\Users\user\Desktop\Yanto v1.2.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeQueries volume information: C:\Users\user\Desktop\Yanto v1.2.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: Process Memory Space: Yanto v1.2.exe PID: 5700, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.Yanto v1.2.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Yanto v1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Yanto v1.2.exe.36c9550.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.3480754455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                      Source: Yanto v1.2.exe, 00000001.00000002.3481145169.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                      Source: Yanto v1.2.exe, 00000001.00000002.3481145169.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                      Source: Yanto v1.2.exe, 00000001.00000002.3481224006.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                      Source: C:\Users\user\Desktop\Yanto v1.2.exeDirectory queried: C:\Users\user\Documents\JSDNGYCOWYJump to behavior
                      Source: Yara matchFile source: Process Memory Space: Yanto v1.2.exe PID: 5700, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: Process Memory Space: Yanto v1.2.exe PID: 5700, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.Yanto v1.2.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Yanto v1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Yanto v1.2.exe.36c9550.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2270486915.00000000036C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.3480754455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		211
                      Process Injection                      		23
                      Virtualization/Sandbox Evasion                      		2
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Screen Capture                      		21
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory23
                      Virtualization/Sandbox Evasion                      		Remote Desktop Protocol1
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)211
                      Process Injection                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin Shares41
                      Data from Local System                      		3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model3
                      Clipboard Data                      		114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Software Packing                      		Cached Domain Credentials22
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Timestomp                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.