Edit tour

Windows Analysis Report
yxoY9FvULu.exe

Overview

General Information

Sample name:	yxoY9FvULu.exe renamed because original name is a hash value
Original sample name:	af65f2da3fd19510fafbeeff3fdf3531db13eef1cf40f6bcf6580f76c8abf3e4.exe
Analysis ID:	1634551
MD5:	1a92454988adb843951deeffdadac107
SHA1:	8a6bc54cdd49f05c60e1fa4b8bed4d4c4409dd6c
SHA256:	af65f2da3fd19510fafbeeff3fdf3531db13eef1cf40f6bcf6580f76c8abf3e4
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

yxoY9FvULu.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\yxoY9FvULu.exe" MD5: 1A92454988ADB843951DEEFFDADAC107)

InstallUtil.exe (PID: 7552 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

wscript.exe (PID: 8088 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

PublicKey.exe (PID: 8136 cmdline: "C:\Users\user\AppData\Roaming\PublicKey.exe" MD5: 1A92454988ADB843951DEEFFDADAC107)

InstallUtil.exe (PID: 5456 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1379896072.0000000002851000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1379896072.0000000002851000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2472325468.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1270238458.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1270238458.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1282729920.0000000005B50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000002.00000002.1379896072.000000000287C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1408123253.0000000003C66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1408123253.0000000003C66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1376474697.0000000000802000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1376474697.0000000000802000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1378610121.0000000002611000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1255997531.0000000002671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000A.00000002.2472325468.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2472325468.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1270238458.0000000003AAA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1270238458.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: yxoY9FvULu.exe PID: 7364	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: yxoY9FvULu.exe PID: 7364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: yxoY9FvULu.exe PID: 7364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: yxoY9FvULu.exe PID: 7364	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 7552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7552	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PublicKey.exe PID: 8136	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PublicKey.exe PID: 8136	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PublicKey.exe PID: 8136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PublicKey.exe PID: 8136	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 5456	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 5456	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.yxoY9FvULu.exe.3bebb60.9.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.yxoY9FvULu.exe.5b50000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.yxoY9FvULu.exe.5b50000.12.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.yxoY9FvULu.exe.3b6c365.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.yxoY9FvULu.exe.3b6c365.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
9.2.PublicKey.exe.3c7bac0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.PublicKey.exe.3c7bac0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.PublicKey.exe.3c7bac0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.PublicKey.exe.3c7bac0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.PublicKey.exe.3c7bac0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.PublicKey.exe.3c7bac0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.yxoY9FvULu.exe.3b11b48.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
2.2.InstallUtil.exe.800000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.InstallUtil.exe.800000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.InstallUtil.exe.800000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.yxoY9FvULu.exe.3ae9b28.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.yxoY9FvULu.exe.3deace0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.yxoY9FvULu.exe.3deace0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.yxoY9FvULu.exe.3deace0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.yxoY9FvULu.exe.3bebb60.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x13ed0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x13ed81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x13ee0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x13ee9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x13ef07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x13ef79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x13f00f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x13f09f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.yxoY9FvULu.exe.3780f98.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.yxoY9FvULu.exe.3780f98.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.yxoY9FvULu.exe.3780f98.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x24a737:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x24a7a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24a833:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24a8c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24a92f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24a9a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x24aa37:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x24aac7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs" , ProcessId: 8088, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 7552, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49688

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs" , ProcessId: 8088, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\yxoY9FvULu.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yxoY9FvULu.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mail.iaa-airferight.com

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\PublicKey.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PublicKey.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: yxoY9FvULu.exe	Virustotal: Detection: 62%			Perma Link
Source: yxoY9FvULu.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: yxoY9FvULu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49689 version: TLS 1.2

Source: yxoY9FvULu.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003AAA000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283712254.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003AAA000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283712254.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_057C037C
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_057C0388
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then jmp 05A3DA08h	0_2_05A3D7D8
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then jmp 05A3D48Ah	0_2_05A3D0A0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then jmp 05A3DA08h	0_2_05A3D828
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then jmp 05A3DA08h	0_2_05A3D819
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then jmp 05A3D48Ah	0_2_05A3D07A
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then jmp 05C1398Ch	0_2_05C136D0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 4x nop then jmp 05C1398Ch	0_2_05C136E0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_057F037C
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	9_2_057F0388
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then jmp 05A6DA08h	9_2_05A6D7D8
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then jmp 05A6D48Ah	9_2_05A6D0A0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then jmp 05A6D48Ah	9_2_05A6D085
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then jmp 05A6DA08h	9_2_05A6D828
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then jmp 05A6DA08h	9_2_05A6D819
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then jmp 05C4398Ch	9_2_05C436D0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 4x nop then jmp 05C4398Ch	9_2_05C436E0

Source: global traffic

TCP traffic: 192.168.2.6:61392 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 46.175.148.58 46.175.148.58
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49688 -> 46.175.148.58:25

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: InstallUtil.exe, 00000002.00000002.1379896072.000000000287C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2472325468.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: yxoY9FvULu.exe, 00000000.00000002.1255997531.0000000002671000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1379896072.0000000002801000.00000004.00000800.00020000.00000000.sdmp, PublicKey.exe, 00000009.00000002.1378610121.0000000002611000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2472325468.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1376474697.0000000000802000.00000040.00000400.00020000.00000000.sdmp, PublicKey.exe, 00000009.00000002.1408123253.0000000003C66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1379896072.0000000002801000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1376474697.0000000000802000.00000040.00000400.00020000.00000000.sdmp, PublicKey.exe, 00000009.00000002.1408123253.0000000003C66000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2472325468.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: InstallUtil.exe, 00000002.00000002.1379896072.0000000002801000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2472325468.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: InstallUtil.exe, 00000002.00000002.1379896072.0000000002801000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2472325468.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, PublicKey.exe, 00000009.00000002.1408123253.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1255997531.0000000002671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, PublicKey.exe, 00000009.00000002.1378610121.0000000002611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49689 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, abAX9N.cs

.Net Code: OPnJT

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.PublicKey.exe.3c7bac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.PublicKey.exe.3c7bac0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yxoY9FvULu.exe.3deace0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.yxoY9FvULu.exe.3780f98.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_00A02B88	0_2_00A02B88
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_00A025EC	0_2_00A025EC
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_00A025F8	0_2_00A025F8
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057C7519	0_2_057C7519
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057C4F78	0_2_057C4F78
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057C8E8B	0_2_057C8E8B
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057CF1D0	0_2_057CF1D0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057CD4C0	0_2_057CD4C0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057CD4AF	0_2_057CD4AF
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057C4F68	0_2_057C4F68
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057C17F1	0_2_057C17F1
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057C1800	0_2_057C1800
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057CB238	0_2_057CB238
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057CB228	0_2_057CB228
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05916988	0_2_05916988
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_059105B0	0_2_059105B0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_059105C0	0_2_059105C0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_0591697A	0_2_0591697A
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05917041	0_2_05917041
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_0591E250	0_2_0591E250
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_059F1638	0_2_059F1638
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_059F1648	0_2_059F1648
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_059F0006	0_2_059F0006
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_059F0040	0_2_059F0040
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05A39930	0_2_05A39930
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05A3F90B	0_2_05A3F90B
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05A3F960	0_2_05A3F960
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05A3ECDC	0_2_05A3ECDC
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05A3F953	0_2_05A3F953
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C1ADC8	0_2_05C1ADC8
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C1DF78	0_2_05C1DF78
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C11B30	0_2_05C11B30
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C1ADB9	0_2_05C1ADB9
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C1DF68	0_2_05C1DF68
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C11B20	0_2_05C11B20
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C31783	0_2_05C31783
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C3DB20	0_2_05C3DB20
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C39A60	0_2_05C39A60
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C3A7A8	0_2_05C3A7A8
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C35FB3	0_2_05C35FB3
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C3DE47	0_2_05C3DE47
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C3789A	0_2_05C3789A
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C378A0	0_2_05C378A0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C39A50	0_2_05C39A50
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05CBFCA0	0_2_05CBFCA0
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05CBE8E8	0_2_05CBE8E8
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05CA0040	0_2_05CA0040
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05CA001C	0_2_05CA001C
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05CBE398	0_2_05CBE398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C7E480	2_2_00C7E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C7A958	2_2_00C7A958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C74A90	2_2_00C74A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C7DCB8	2_2_00C7DCB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C73E78	2_2_00C73E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C741C0	2_2_00C741C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C7C86F	2_2_00C7C86F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06077D68	2_2_06077D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06075588	2_2_06075588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_060765E0	2_2_060765E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0607B20F	2_2_0607B20F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06073040	2_2_06073040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06077688	2_2_06077688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06075CD3	2_2_06075CD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0607050A	2_2_0607050A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06072349	2_2_06072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_0607E388	2_2_0607E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_06070006	2_2_06070006
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_02342B88	9_2_02342B88
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_023425F8	9_2_023425F8
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_023425EC	9_2_023425EC
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057F7519	9_2_057F7519
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057F4F78	9_2_057F4F78
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057F8E8B	9_2_057F8E8B
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057FF1D0	9_2_057FF1D0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057FD4C0	9_2_057FD4C0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057FD4AF	9_2_057FD4AF
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057F4F68	9_2_057F4F68
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057F17F1	9_2_057F17F1
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057F1800	9_2_057F1800
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057FB238	9_2_057FB238
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_057FB228	9_2_057FB228
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05946988	9_2_05946988
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_059405B0	9_2_059405B0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_059405C0	9_2_059405C0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05940521	9_2_05940521
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_0594697A	9_2_0594697A
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05947041	9_2_05947041
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_0594E250	9_2_0594E250
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A21638	9_2_05A21638
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A21648	9_2_05A21648
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A20007	9_2_05A20007
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A20040	9_2_05A20040
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A6F90B	9_2_05A6F90B
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A6F960	9_2_05A6F960
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A69A18	9_2_05A69A18
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A6ECDC	9_2_05A6ECDC
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05A6F953	9_2_05A6F953
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C4C680	9_2_05C4C680
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C41B30	9_2_05C41B30
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C4C670	9_2_05C4C670
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C41B20	9_2_05C41B20
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C61781	9_2_05C61781
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C6DB20	9_2_05C6DB20
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C69A60	9_2_05C69A60
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C6A7A8	9_2_05C6A7A8
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C6F119	9_2_05C6F119
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C65FB3	9_2_05C65FB3
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C6DE47	9_2_05C6DE47
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C67891	9_2_05C67891
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C678A0	9_2_05C678A0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C69A50	9_2_05C69A50
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05CEFCA0	9_2_05CEFCA0
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05CEE8E8	9_2_05CEE8E8
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05CD0040	9_2_05CD0040
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05CD0006	9_2_05CD0006
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05CEE398	9_2_05CEE398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02ADE6A1	10_2_02ADE6A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02AD4A98	10_2_02AD4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02AD3E80	10_2_02AD3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02AD41C8	10_2_02AD41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02ADA960	10_2_02ADA960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065BA25C	10_2_065BA25C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065BB880	10_2_065BB880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C65E0	10_2_065C65E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C5588	10_2_065C5588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065CB20F	10_2_065CB20F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C3040	10_2_065C3040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C7D68	10_2_065C7D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C7688	10_2_065C7688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C234B	10_2_065C234B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065CE388	10_2_065CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C0040	10_2_065C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C5CD3	10_2_065C5CD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C0006	10_2_065C0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065C054F	10_2_065C054F

Source: yxoY9FvULu.exe, 00000000.00000002.1255997531.0000000002951000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1280835981.0000000005680000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHbgst.dll" vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003A3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHbgst.dll" vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1255997531.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1255357241.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000000.1227690692.00000000002B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZxnxo.exe, vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1270238458.0000000003AAA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1283712254.0000000005CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe, 00000000.00000002.1283102709.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs yxoY9FvULu.exe
Source: yxoY9FvULu.exe	Binary or memory string: OriginalFilenameZxnxo.exe, vs yxoY9FvULu.exe

Source: 9.2.PublicKey.exe.3c7bac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.PublicKey.exe.3c7bac0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yxoY9FvULu.exe.3deace0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.yxoY9FvULu.exe.3780f98.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: yxoY9FvULu.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PublicKey.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yxoY9FvULu.exe, Elyaw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: PublicKey.exe.0.dr, Elyaw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, RsYAkkzVoy.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, Kqqzixk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, xROdzGigX.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, ywes.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, iPVW0zV.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, 1Pi9sgbHwoV.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, YUgDfWK2g4.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\yxoY9FvULu.exe "C:\Users\user\Desktop\yxoY9FvULu.exe"
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PublicKey.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\PublicKey.exe "C:\Users\user\AppData\Roaming\PublicKey.exe"
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\PublicKey.exe "C:\Users\user\AppData\Roaming\PublicKey.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior

Source: yxoY9FvULu.exe, Xkctam.cs	.Net Code: Yvyrkrpu System.AppDomain.Load(byte[])
Source: PublicKey.exe.0.dr, Xkctam.cs	.Net Code: Yvyrkrpu System.AppDomain.Load(byte[])
Source: 0.2.yxoY9FvULu.exe.5bc0000.13.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.yxoY9FvULu.exe.5bc0000.13.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.yxoY9FvULu.exe.5bc0000.13.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.yxoY9FvULu.exe.5bc0000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.yxoY9FvULu.exe.5bc0000.13.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.yxoY9FvULu.exe.3c50380.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3bebb60.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.5b50000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.5b50000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3b6c365.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3b6c365.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3b11b48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3ae9b28.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3bebb60.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1282729920.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1378610121.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1255997531.0000000002671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270238458.0000000003AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270238458.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yxoY9FvULu.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PublicKey.exe PID: 8136, type: MEMORYSTR

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_00A061C4 push esp; retf	0_2_00A061C7
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_00A0B2B5 push 8BFFFFFEh; retf	0_2_00A0B2BB
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_057E25B5 pushad ; retf	0_2_057E25C1
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_059127E5 push edx; iretd	0_2_059127EB
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_0591A201 push eax; iretd	0_2_0591A208
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05A373A0 pushfd ; iretd	0_2_05A373A1
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C34083 push ss; ret	0_2_05C3408A
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C3401B push 0000003Bh; ret	0_2_05C34032
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C3403B push es; ret	0_2_05C34042
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C33FD3 push ebp; ret	0_2_05C33FE1
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C33F73 push ss; ret	0_2_05C33F8E
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C33EEB push es; ret	0_2_05C33EFE
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Code function: 0_2_05C33E90 push 00000013h; ret	0_2_05C33E92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C70CCB push edi; retf	2_2_00C70C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C70C45 push ebx; retf	2_2_00C70C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C70C53 push ebx; retf	2_2_00C70C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 2_2_00C70C6D push edi; retf	2_2_00C70C7A
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_0234B2B5 push 8BFFFFFEh; retf	9_2_0234B2BB
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_023461C4 push esp; retf	9_2_023461C7
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_059427E5 push edx; iretd	9_2_059427EB
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_0594A201 push eax; iretd	9_2_0594A208
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Code function: 9_2_05C6BEC1 push edi; iretd	9_2_05C6BEC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02AD0C6D push edi; retf	10_2_02AD0C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02AD0C45 push ebx; retf	10_2_02AD0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02AD0C54 push ebx; retf	10_2_02AD0C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065B4BD0 push ebp; iretd	10_2_065B4C4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065B2864 push E8000006h; ret	10_2_065B2869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065B34DA push 00000006h; retf	10_2_065B34E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065B3A40 push FC066ADAh; retf	10_2_065B3A4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_065CFFB0 push es; ret	10_2_065CFFC0

Source: yxoY9FvULu.exe	Static PE information: section name: .text entropy: 7.998389264614215
Source: PublicKey.exe.0.dr	Static PE information: section name: .text entropy: 7.998389264614215

Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, lZaohZ6vjCH8r3VTkEN.cs	High entropy of concatenated method names: 'yo66w4Jx8j', 'M3N6lvYUSY', 'rAL61NPCtg', 'IN76uTgOuS', 'qgu6imsSTt', 'oaT68BMZNC', 'SW46Y8FUXf', 'WsH6pHU5C5', 'Rks67qLuCX', 'Jth6VMneNI'
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, FbllZilgrmSV4Qes5me.cs	High entropy of concatenated method names: 'k14l9oS5Lr', 'CZ2lhVlULy', 'fDFlHdILT1', 'cPIlyD7sMX', 'ucblx4w6sN', 'svSlXuQZvW', 'X7LlERUDuo', 'eOolMpkJqB', 'QFmlOyPwZY', 'MqwlWUKnce'
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, e5B0UXwThaTGbDPlCvy.cs	High entropy of concatenated method names: 'RmBUKtH4HSAJDcJs6nA', 'F08pswHjgJ5DZqyExNq', 'JedlQt2ISg', 'vh0ry9Sq2v', 'UYel16XBgE', 'HcQl0GdCuD', 'gchlul7vU1', 'VeMlLYgKwP', 'XRgXk45JdT', 'H8XwqjbiiE'
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, tA9PiwvMpcQ6iGIge5h.cs	High entropy of concatenated method names: 'Tew5utauIJ', 'heJ5LtR0cy', 'GTA5ibuWcF', 'wV7xdsh7YQHdqZo57N6', 'ok02vkhGryZ4cYSvpXA', 'gZ7vWnA3Go', 'FkFvadFyTf', 'eS1vbpl2lU', 'U8VvzhhLns', 'w6J5fa8bHZ'
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, H1OHW9laTdjwvUQl5Le.cs	High entropy of concatenated method names: 'OC5DbnetLr', 'e9SDzfgXuO', 'jJl8fQ5hjP', 'thr86eGtIw', 'nHT8JtF23Q', 'b1X8NhS9gc', 'qLZ82WFMTT', 'h7PU8W54dy', 'Yag8FEPTsN', 'QHi84hqDBc'
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, H4OjEP4H98ZhnSDW9aj.cs	High entropy of concatenated method names: 'LIn4xCDU1y', 'qZk4ET2lLG', 'X0S4OYSNR6', 'sAL4adqEWe', 'mXK4blS0e2', 'G1g4zXtTog', 'xkpjfoYfcr', 'YC8j6KIh4X', 'DvwjJHgScX', 'iIXjNg1lD6'
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, BURcRZ59l23DaLlrg7g.cs	High entropy of concatenated method names: 'TEQ5XtKpSK', 'qeS5EVxQWe', 'KpE5Mgh6og', 'niu5OQvc4y', 'HVE5WHIWQf', 'FiZ5aBFoM8', 'HC55bnT7ml', 'laB5zamUJA', 'OmZwfGYD72', 'faQw6JlKHt'
Source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, xhxbPTjLWgLvpJXJiuL.cs	High entropy of concatenated method names: 'oTZjpOMsNn', 'u8n4pvmNQQKatEMsxXP', 'CwRr90m25Fqd0kmLxUC', 'wE9lyHPai96eBHLx1iV', 'ktQbRCPbYyIKbbOkWWg'

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Memory allocated: C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Memory allocated: 2300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Memory allocated: 4610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3929	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 5885	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Window / User API: threadDelayed 354	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2507	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7337	Jump to behavior

Source: C:\Users\user\Desktop\yxoY9FvULu.exe TID: 7400	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe TID: 7456	Thread sleep count: 264 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe TID: 7464	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7832	Thread sleep count: 3929 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -99828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -99370s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7832	Thread sleep count: 5885 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -99141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98903s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96935s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96685s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94208s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -94067s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -93940s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -93822s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -93719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -93609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -93481s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7824	Thread sleep time: -93375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe TID: 8172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe TID: 5644	Thread sleep count: 354 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3372	Thread sleep count: 2507 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3372	Thread sleep count: 7337 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99777s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98795s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -97804s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -97702s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -97585s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -97450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -97286s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -97166s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96673s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95666s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94458s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94232s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4512	Thread sleep time: -94015s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yxoY9FvULu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
yxoY9FvULu.exe

Source: PublicKey.exe, 00000009.00000002.1378610121.0000000002611000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: PublicKey.exe, 00000009.00000002.1378610121.0000000002611000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: InstallUtil.exe, 00000002.00000002.1376964729.00000000009C7000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2482526932.0000000005FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Queries volume information: C:\Users\user\Desktop\yxoY9FvULu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yxoY9FvULu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Queries volume information: C:\Users\user\AppData\Roaming\PublicKey.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\PublicKey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 9.2.PublicKey.exe.3c7bac0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PublicKey.exe.3c7bac0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3deace0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3deace0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.388c9c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yxoY9FvULu.exe.3780f98.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1379896072.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2472325468.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270238458.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1379896072.000000000287C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1408123253.0000000003C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1376474697.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2472325468.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270238458.0000000003671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yxoY9FvULu.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PublicKey.exe PID: 8136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5456, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement