Loading ...

Play interactive tourEdit tour

Analysis Report quotation.exe

Overview

General Information

Sample Name:quotation.exe
Analysis ID:289496
MD5:9a3cb2f5280aa04664133de0d0acc850
SHA1:b7e016680b39484a415b2532076bba9183378bd2
SHA256:72ce6d54e53bef9b40b4bc65658af46c49cbc340e87aa8ed7a4d0ef574a1e45c
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • quotation.exe (PID: 6180 cmdline: 'C:\Users\user\Desktop\quotation.exe' MD5: 9A3CB2F5280AA04664133DE0D0ACC850)
    • quotation.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\quotation.exe' MD5: 9A3CB2F5280AA04664133DE0D0ACC850)
  • YYtJku.exe (PID: 5688 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 9A3CB2F5280AA04664133DE0D0ACC850)
    • YYtJku.exe (PID: 5616 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 9A3CB2F5280AA04664133DE0D0ACC850)
  • YYtJku.exe (PID: 6432 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 9A3CB2F5280AA04664133DE0D0ACC850)
    • YYtJku.exe (PID: 4768 cmdline: 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' MD5: 9A3CB2F5280AA04664133DE0D0ACC850)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "fSk2L", "URL: ": "http://qEdGRF2PAHMeabrqAeVS.org", "To: ": "fnamuche@transreyca.com", "ByHost: ": "mail.transreyca.com:587", "Password: ": "ccvQR0mAcqAJ5", "From: ": "fnamuche@transreyca.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.397508718.0000000002892000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.397631758.00000000028DB000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.624296676.00000000009C2000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000001.413665226.0000000000467000.00000040.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 32 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.YYtJku.exe.22b0000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              11.2.YYtJku.exe.920000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.YYtJku.exe.680000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.YYtJku.exe.920000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    2.2.quotation.exe.2280000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 14 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: YYtJku.exe.4768.11.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "fSk2L", "URL: ": "http://qEdGRF2PAHMeabrqAeVS.org", "To: ": "fnamuche@transreyca.com", "ByHost: ": "mail.transreyca.com:587", "Password: ": "ccvQR0mAcqAJ5", "From: ": "fnamuche@transreyca.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeVirustotal: Detection: 63%Perma Link
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeReversingLabs: Detection: 58%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: quotation.exeVirustotal: Detection: 63%Perma Link
                      Source: quotation.exeReversingLabs: Detection: 58%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: quotation.exeJoe Sandbox ML: detected
                      Source: 9.2.YYtJku.exe.23c0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 5.2.YYtJku.exe.22b0000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.quotation.exe.2580000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 4.2.YYtJku.exe.2500000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 2.2.quotation.exe.2280000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 11.2.YYtJku.exe.9c0000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00408A08 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_00408A08
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00405A4C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405A4C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_00408A08 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,4_2_00408A08
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_00405A4C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,4_2_00405A4C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00408A08 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,9_2_00408A08
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00405A4C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,9_2_00405A4C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov byte ptr [ebp-0Ah], FFFFFFC3h1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov byte ptr [ebp-09h], 0000003Eh1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov edi, eax1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov esi, ecx1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov edx, dword ptr [ebp-08h]1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then xor dl, byte ptr [ebp-09h]1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov dl, byte ptr [ebp-0Ah]1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then inc ecx1_2_0046D05C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 4x nop then mov edi, dword ptr [ebp-18h]1_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov byte ptr [ebp-0Ah], FFFFFFC3h4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov byte ptr [ebp-09h], 0000003Eh4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov edi, eax4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov esi, ecx4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov edx, dword ptr [ebp-08h]4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then xor dl, byte ptr [ebp-09h]4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dl, byte ptr [ebp-0Ah]4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then inc ecx4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov edi, dword ptr [ebp-18h]4_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov byte ptr [ebp-0Ah], FFFFFFC3h9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov byte ptr [ebp-09h], 0000003Eh9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov edi, eax9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov esi, ecx9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov edx, dword ptr [ebp-08h]9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then xor dl, byte ptr [ebp-09h]9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov dl, byte ptr [ebp-0Ah]9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then inc ecx9_2_0046D05C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4x nop then mov edi, dword ptr [ebp-18h]9_2_0046D05C

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: global trafficTCP traffic: 192.168.2.3:49734 -> 162.241.244.88:587
                      Source: Joe Sandbox ViewIP Address: 23.21.203.47 23.21.203.47
                      Source: Joe Sandbox ViewIP Address: 23.21.203.47 23.21.203.47
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficTCP traffic: 192.168.2.3:49734 -> 162.241.244.88:587
                      Source: unknownDNS traffic detected: queries for: mail.transreyca.com
                      Source: quotation.exe, 00000002.00000002.628253963.0000000002931000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.628400133.0000000002951000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: quotation.exe, 00000002.00000002.630586527.0000000002C84000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630754104.0000000002CA2000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.631067232.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://api.ipify.org
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmp, YYtJku.exe, 0000000B.00000002.630890137.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmp, YYtJku.exe, 0000000B.00000002.630890137.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                      Source: YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmpString found in binary or memory: http://cps.le
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmp, YYtJku.exe, 0000000B.00000002.630890137.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmp, YYtJku.exe, 0000000B.00000002.630890137.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: quotation.exe, 00000002.00000002.630586527.0000000002C84000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630754104.0000000002CA2000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000003.476216573.0000000005DC3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: quotation.exe, 00000002.00000002.630586527.0000000002C84000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630754104.0000000002CA2000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000003.476216573.0000000005DC3000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmp, YYtJku.exe, 0000000B.00000002.630890137.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: YYtJku.exe, 0000000B.00000002.635193986.0000000005D97000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsofC
                      Source: YYtJku.exe, 0000000B.00000002.635193986.0000000005D97000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsofC:
                      Source: quotation.exe, 00000002.00000002.630586527.0000000002C84000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630754104.0000000002CA2000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.631067232.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmp, YYtJku.exe, 0000000B.00000002.630890137.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630438988.0000000002C62000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.630806007.0000000002AE1000.00000004.00000001.sdmpString found in binary or memory: http://mail.transreyca.com
                      Source: YYtJku.exe, 0000000B.00000003.476216573.0000000005DC3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: quotation.exe, 00000002.00000002.630332926.0000000002C45000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.623063534.0000000000756000.00000004.00000020.sdmp, YYtJku.exe, 0000000B.00000002.630890137.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                      Source: YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://pVMQQp.com
                      Source: YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000003.457858663.0000000000534000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.631030721.0000000002B13000.00000004.00000001.sdmpString found in binary or memory: http://qEdGRF2PAHMeabrqAeVS.org
                      Source: YYtJku.exe, 00000005.00000002.628400133.0000000002951000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://qEdGRF2PAHMeabrqAeVS.org$
                      Source: quotation.exe, 00000002.00000002.630528707.0000000002C76000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630683811.0000000002C94000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.631030721.0000000002B13000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: quotation.exe, 00000002.00000002.630528707.0000000002C76000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630683811.0000000002C94000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.631030721.0000000002B13000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
                      Source: YYtJku.exe, 0000000B.00000002.631030721.0000000002B13000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: quotation.exe, 00000002.00000002.630528707.0000000002C76000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630683811.0000000002C94000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org4Al
                      Source: YYtJku.exe, 0000000B.00000002.631030721.0000000002B13000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org4AlX
                      Source: YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: quotation.exe, 00000001.00000002.359644642.00000000042A2000.00000040.00000001.sdmp, quotation.exe, 00000002.00000002.624368890.0000000002282000.00000040.00000001.sdmp, YYtJku.exe, 00000004.00000002.397508718.0000000002892000.00000040.00000001.sdmp, YYtJku.exe, 00000005.00000002.624367119.00000000022B2000.00000040.00000001.sdmp, YYtJku.exe, 00000009.00000002.419114031.0000000002752000.00000040.00000001.sdmp, YYtJku.exe, 0000000B.00000002.624296676.00000000009C2000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                      Source: quotation.exe, 00000002.00000002.628253963.0000000002931000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.628400133.0000000002951000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: quotation.exe, 00000002.00000002.630586527.0000000002C84000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.630754104.0000000002CA2000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000003.476216573.0000000005DC3000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: quotation.exe, YYtJku.exe, 00000004.00000002.397508718.0000000002892000.00000040.00000001.sdmp, YYtJku.exe, 00000005.00000002.624367119.00000000022B2000.00000040.00000001.sdmp, YYtJku.exe, 00000009.00000002.419114031.0000000002752000.00000040.00000001.sdmp, YYtJku.exe, 0000000B.00000002.624296676.00000000009C2000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: quotation.exe, 00000002.00000002.628253963.0000000002931000.00000004.00000001.sdmp, YYtJku.exe, 00000005.00000002.628400133.0000000002951000.00000004.00000001.sdmp, YYtJku.exe, 0000000B.00000002.628750759.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00407036 OpenClipboard,1_2_00407036
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00424EE8 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,1_2_00424EE8
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0042552C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,9_2_0042552C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00438C48 GetKeyboardState,1_2_00438C48
                      Source: quotation.exe, 00000001.00000002.358222570.00000000007FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: quotation.exe
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00456954 NtdllDefWindowProc_A,1_2_00456954
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0043BB80 NtdllDefWindowProc_A,GetCapture,1_2_0043BB80
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004570D0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_004570D0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00457180 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00457180
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0042F270 NtdllDefWindowProc_A,1_2_0042F270
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0044B504 GetSubMenu,SaveDC,RestoreDC,739EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_0044B504
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_00444159 NtCreateSection,2_2_00444159
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_00456954 NtdllDefWindowProc_A,4_2_00456954
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_0043BB80 NtdllDefWindowProc_A,GetCapture,4_2_0043BB80
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_004570D0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_004570D0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_00457180 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_00457180
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_0042F270 NtdllDefWindowProc_A,4_2_0042F270
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_0044B504 GetSubMenu,SaveDC,RestoreDC,739EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,4_2_0044B504
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_00444159 NtCreateSection,5_2_00444159
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00456954 NtdllDefWindowProc_A,9_2_00456954
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0043BB80 NtdllDefWindowProc_A,GetCapture,9_2_0043BB80
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_004570D0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,9_2_004570D0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00457180 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,9_2_00457180
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0042F270 NtdllDefWindowProc_A,9_2_0042F270
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0044B504 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,9_2_0044B504
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004510281_2_00451028
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0044B5041_2_0044B504
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_0043D9762_2_0043D976
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_0044313D2_2_0044313D
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_023D46A02_2_023D46A0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_023D35BC2_2_023D35BC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_023D3D422_2_023D3D42
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_023D45B02_2_023D45B0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_023D53922_2_023D5392
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_023DD1E02_2_023DD1E0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 2_2_023D35B02_2_023D35B0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_004510284_2_00451028
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_0044B5044_2_0044B504
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_0043D9765_2_0043D976
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_0044313D5_2_0044313D
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_028A46A05_2_028A46A0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_028A35BC5_2_028A35BC
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_028A45B05_2_028A45B0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_028A53925_2_028A5392
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_059C65085_2_059C6508
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_059C8CD85_2_059C8CD8
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_059C71205_2_059C7120
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_059C68505_2_059C6850
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_05E015305_2_05E01530
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_05E0DF205_2_05E0DF20
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_05E028585_2_05E02858
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_05E0F6405_2_05E0F640
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 5_2_05E06DE15_2_05E06DE1
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_004510289_2_00451028
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0044B5049_2_0044B504
                      Source: C:\Users\user\Desktop\quotation.exeCode function: String function: 004042AC appears 77 times
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: String function: 00403540 appears 44 times
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: String function: 00406678 appears 32 times
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: String function: 004042D0 appears 34 times
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: String function: 004042AC appears 154 times
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: String function: 0040390C appears 54 times
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: String function: 0040DEE8 appears 36 times
                      Source: quotation.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: YYtJku.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: quotation.exe, 00000001.00000002.358213928.00000000007D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs quotation.exe
                      Source: quotation.exe, 00000001.00000002.359644642.00000000042A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKDFxBLXjgezaVKAqvbXztkB.exe4 vs quotation.exe
                      Source: quotation.exeBinary or memory string: OriginalFilename vs quotation.exe
                      Source: quotation.exe, 00000002.00000002.621591753.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKDFxBLXjgezaVKAqvbXztkB.exe4 vs quotation.exe
                      Source: quotation.exe, 00000002.00000002.620561420.0000000000197000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs quotation.exe
                      Source: quotation.exe, 00000002.00000002.632840218.00000000056B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs quotation.exe
                      Source: quotation.exe, 00000002.00000002.634133805.0000000005E10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs quotation.exe
                      Source: quotation.exe, 00000002.00000002.632871635.00000000056C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs quotation.exe
                      Source: C:\Users\user\Desktop\quotation.exeSection loaded: mscorwks.dllJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeSection loaded: mscorsec.dllJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeSection loaded: mscorjit.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: mscorwks.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: mscorsec.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: mscorjit.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: mscorwks.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: mscorsec.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: mscorjit.dllJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@9/4
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00421EBC GetLastError,FormatMessageA,1_2_00421EBC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00408B80 GetDiskFreeSpaceA,1_2_00408B80
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00415688 FindResourceA,1_2_00415688
                      Source: C:\Users\user\Desktop\quotation.exeFile created: C:\Users\user\AppData\Roaming\YYtJkuJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\quotation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: quotation.exeVirustotal: Detection: 63%
                      Source: quotation.exeReversingLabs: Detection: 58%
                      Source: C:\Users\user\Desktop\quotation.exeFile read: C:\Users\user\Desktop\quotation.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\quotation.exe 'C:\Users\user\Desktop\quotation.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\quotation.exe 'C:\Users\user\Desktop\quotation.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe'
                      Source: C:\Users\user\Desktop\quotation.exeProcess created: C:\Users\user\Desktop\quotation.exe 'C:\Users\user\Desktop\quotation.exe' Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe 'C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\quotation.exeUnpacked PE file: 2.2.quotation.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeUnpacked PE file: 5.2.YYtJku.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeUnpacked PE file: 11.2.YYtJku.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\quotation.exeUnpacked PE file: 2.2.quotation.exe.2280000.4.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\quotation.exeUnpacked PE file: 2.2.quotation.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeUnpacked PE file: 5.2.YYtJku.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeUnpacked PE file: 11.2.YYtJku.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0044293C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0044293C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00442F6C push 00442FF9h; ret 1_2_00442FF1
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0042A05C push 0042A088h; ret 1_2_0042A080
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00412010 push 0041214Ch; ret 1_2_00412144
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0042A010 push 0042A051h; ret 1_2_0042A049
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0042A094 push 0042A0CCh; ret 1_2_0042A0C4
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00428108 push 004281D8h; ret 1_2_004281D0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00412120 push 0041214Ch; ret 1_2_00412144
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0044421C push 00444248h; ret 1_2_00444240
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004662C8 push 004662F4h; ret 1_2_004662EC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004282E8 push 00428314h; ret 1_2_0042830C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004183C0 push ecx; mov dword ptr [esp], edx1_2_004183C2
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0042A3B8 push 0042A3E4h; ret 1_2_0042A3DC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004324E4 push 0043254Eh; ret 1_2_00432546
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00432550 push 004325BAh; ret 1_2_004325B2
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00406536 push 00406589h; ret 1_2_00406581
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00406538 push 00406589h; ret 1_2_00406581
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004285A0 push 004285CCh; ret 1_2_004285C4
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004686C4 push 004686F7h; ret 1_2_004686EF
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00406708 push 00406734h; ret 1_2_0040672C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0041E7EA push 0041E892h; ret 1_2_0041E88A
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0041E7EC push 0041E892h; ret 1_2_0041E88A
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004287EC push 00428818h; ret 1_2_00428810
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00406798 push 004067C4h; ret 1_2_004067BC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004148F4 push ecx; mov dword ptr [esp], edx1_2_004148F9
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0041E8F6 push 0041EC54h; ret 1_2_0041EC4C
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00416938 push ecx; mov dword ptr [esp], edx1_2_00416939
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004389E8 push ecx; mov dword ptr [esp], ecx1_2_004389EC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00458AA0 push 00458AFAh; ret 1_2_00458AF2
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00414B1C push ecx; mov dword ptr [esp], edx1_2_00414B21
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00414C7C push ecx; mov dword ptr [esp], edx1_2_00414C81
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0041EC28 push 0041EC54h; ret 1_2_0041EC4C
                      Source: C:\Users\user\Desktop\quotation.exeFile created: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeJump to dropped file
                      Source: C:\Users\user\Desktop\quotation.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YYtJkuJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\quotation.exeFile opened: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\quotation.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG630.tmpJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004569DC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_004569DC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0043E3E0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0043E3E0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00428A24 IsIconic,GetWindowPlacement,GetWindowRect,1_2_00428A24
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_004570D0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_004570D0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00457180 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00457180
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0043D254 IsIconic,GetCapture,1_2_0043D254
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_00453AD0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00453AD0
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0043DAFC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_0043DAFC
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_004569DC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,4_2_004569DC
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_0043E3E0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,4_2_0043E3E0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_00428A24 IsIconic,GetWindowPlacement,GetWindowRect,4_2_00428A24
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_004570D0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,4_2_004570D0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_00457180 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,4_2_00457180
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_0043D254 IsIconic,GetCapture,4_2_0043D254
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_00453AD0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,4_2_00453AD0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 4_2_0043DAFC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,4_2_0043DAFC
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_004569DC PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,9_2_004569DC
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0043E3E0 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,9_2_0043E3E0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00428A24 IsIconic,GetWindowPlacement,GetWindowRect,9_2_00428A24
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_004570D0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,9_2_004570D0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00457180 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,9_2_00457180
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0043D254 IsIconic,GetCapture,9_2_0043D254
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_00453AD0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,9_2_00453AD0
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeCode function: 9_2_0043DAFC IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,9_2_0043DAFC
                      Source: C:\Users\user\Desktop\quotation.exeCode function: 1_2_0044293C SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,1_2_0044293C
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\quotation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\YYtJku\YYtJku.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: