Loading ...

Play interactive tourEdit tour

Analysis Report YTLFsQdK4Hb0Qse.exe

Overview

General Information

Sample Name:YTLFsQdK4Hb0Qse.exe
Analysis ID:299739
MD5:7f86cf4be708f18d8d51c2c7c7225ec0
SHA1:31a2fd8461f5ea1551d5945b182dcfc660629a96
SHA256:8f28bf16d28e463f009f14d0fdbd022ce9efd486666be096665ab84ab5fedf47
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • YTLFsQdK4Hb0Qse.exe (PID: 6572 cmdline: 'C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe' MD5: 7F86CF4BE708F18D8D51C2C7C7225EC0)
    • schtasks.exe (PID: 6680 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • YTLFsQdK4Hb0Qse.exe (PID: 6724 cmdline: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe MD5: 7F86CF4BE708F18D8D51C2C7C7225EC0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "gfEJcTvigzpaG", "URL: ": "https://rXqy7xoYd8DZ3FyVYr.org", "To: ": "", "ByHost: ": "mail.thanhphet.asia:587", "Password: ": "ZoNML", "From: ": "sales@thanhphet.asia"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.227857640.0000000003525000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.483654286.0000000003436000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.483654286.0000000003436000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.480115023.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.YTLFsQdK4Hb0Qse.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe' , ParentImage: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe, ParentProcessId: 6572, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp', ProcessId: 6680

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: YTLFsQdK4Hb0Qse.exe.6724.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "gfEJcTvigzpaG", "URL: ": "https://rXqy7xoYd8DZ3FyVYr.org", "To: ": "", "ByHost: ": "mail.thanhphet.asia:587", "Password: ": "ZoNML", "From: ": "sales@thanhphet.asia"}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\okvgshcBLHCVID.exeReversingLabs: Detection: 16%
              Multi AV Scanner detection for submitted fileShow sources
              Source: YTLFsQdK4Hb0Qse.exeVirustotal: Detection: 9%Perma Link
              Source: YTLFsQdK4Hb0Qse.exeReversingLabs: Detection: 16%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\okvgshcBLHCVID.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: YTLFsQdK4Hb0Qse.exeJoe Sandbox ML: detected
              Source: 3.2.YTLFsQdK4Hb0Qse.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: Joe Sandbox ViewIP Address: 192.185.113.157 192.185.113.157
              Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS traffic detected: queries for: api.ipify.org
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.485031552.00000000036A3000.00000004.00000001.sdmpString found in binary or memory: http://mail.thanhphet.asia
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227857640.0000000003525000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microso(
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: YTLFsQdK4Hb0Qse.exeString found in binary or memory: http://tempuri.org/ScrapDBDataSet.xsd
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: http://xEuYyH.com
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227857640.0000000003525000.00000004.00000001.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480115023.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.485031552.00000000036A3000.00000004.00000001.sdmpString found in binary or memory: https://rXqy7xoYd8DZ3FyVYr.org
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.488031084.0000000006BD0000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227857640.0000000003525000.00000004.00000001.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480115023.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.483454426.00000000033E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeJump to behavior
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.226620771.0000000000920000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_0090015C NtQueryInformationProcess,0_2_0090015C
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_00900158 NtQueryInformationProcess,0_2_00900158
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_00900AF5 NtQueryInformationProcess,0_2_00900AF5
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_009004700_2_00900470
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_0090AE880_2_0090AE88
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_00900E180_2_00900E18
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_0090C1380_2_0090C138
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_00900E080_2_00900E08
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 0_2_0090DBE80_2_0090DBE8
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_019547A03_2_019547A0
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_01953CCC3_2_01953CCC
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_019546B03_2_019546B0
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_019554903_2_01955490
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0195D8413_2_0195D841
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0670F7B03_2_0670F7B0
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067035A83_2_067035A8
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0670A2A83_2_0670A2A8
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06704A9B3_2_06704A9B
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067087403_2_06708740
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067087443_2_06708744
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067087303_2_06708730
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067087343_2_06708734
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067087383_2_06708738
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0670873C3_2_0670873C
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067087243_2_06708724
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067087283_2_06708728
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0670872C3_2_0670872C
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067082D43_2_067082D4
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067083543_2_06708354
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0670B0E03_2_0670B0E0
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0670D8503_2_0670D850
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0673E3683_2_0673E368
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_067393E03_2_067393E0
              Source: YTLFsQdK4Hb0Qse.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: okvgshcBLHCVID.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000000.213612818.00000000001C6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHfoZ.exe4 vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227857640.0000000003525000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227857640.0000000003525000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDmzggePtWGnjXUNestMDJrTBWVrRBs.exe4 vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.231660435.0000000006170000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.226620771.0000000000920000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.231878855.0000000006270000.00000002.00000001.sdmpBinary or memory string: originalfilename vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.231878855.0000000006270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.481058031.0000000001378000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480953542.0000000000FE6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHfoZ.exe4 vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480115023.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDmzggePtWGnjXUNestMDJrTBWVrRBs.exe4 vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.487659735.00000000068B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs YTLFsQdK4Hb0Qse.exe
              Source: YTLFsQdK4Hb0Qse.exeBinary or memory string: OriginalFilenameHfoZ.exe4 vs YTLFsQdK4Hb0Qse.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@3/2
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile created: C:\Users\user\AppData\Roaming\okvgshcBLHCVID.exeJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeMutant created: \Sessions\1\BaseNamedObjects\JhcRvezoCYzucv
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile created: C:\Users\user\AppData\Local\Temp\tmp29A6.tmpJump to behavior
              Source: YTLFsQdK4Hb0Qse.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000000.213471230.00000000000B2000.00000002.00020000.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480233490.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Support] SET [UserName] = @UserName, [Messages] = @Messages, [Reply] = @Reply WHERE (([UserName] = @Original_UserName));
              Source: YTLFsQdK4Hb0Qse.exeBinary or memory string: INSERT INTO [dbo].[Chats] ([UserName], [Messages]) VALUES (@UserName, @Messages); SELECT UserName, Messages FROM Chats WHERE (User
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000000.213471230.00000000000B2000.00000002.00020000.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480233490.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Admin] SET [Admin] = @Admin, [Password] = @Password WHERE (([Admin] = @Original_Admin) AND ([Password] = @Original_Password));
              Source: YTLFsQdK4Hb0Qse.exeBinary or memory string: INSERT INTO [dbo].[Support] ([UserName], [Messages], [Reply]) VALUES (@UserName, @Messages, @Reply); SELECT UserName, Messages, Re
              Source: YTLFsQdK4Hb0Qse.exeBinary or memory string: INSERT INTO [dbo].[Books] ([Title], [Details], [Author]) VALUES (@Title, @Details, @Author); SELECT Title, Details, Author FROM Bo
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000000.213471230.00000000000B2000.00000002.00020000.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480233490.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Login] ([UserName], [Password], [About], [Email], [Occupation], [Phone]) VALUES (@UserName, @Password, @About, @Email, @Occupation, @Phone);
              Source: YTLFsQdK4Hb0Qse.exeBinary or memory string: INSERT INTO [dbo].[Admin] ([Admin], [Password]) VALUES (@Admin, @Password); SELECT Admin, Password FROM Admin WHERE (Admin = @Admi
              Source: YTLFsQdK4Hb0Qse.exeBinary or memory string: UPDATE [dbo].[Chats] SET [UserName] = @UserName, [Messages] = @Messages WHERE (([UserName] = @Original_UserName)); SELECT UserName
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000000.213471230.00000000000B2000.00000002.00020000.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480233490.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Books] SET [Title] = @Title, [Details] = @Details, [Author] = @Author WHERE (([Title] = @Original_Title) AND ([Author] = @Original_Author));
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000000.213471230.00000000000B2000.00000002.00020000.sdmp, YTLFsQdK4Hb0Qse.exe, 00000003.00000002.480233490.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Login] SET [UserName] = @UserName, [Password] = @Password, [About] = @About, [Email] = @Email, [Occupation] = @Occupation, [Phone] = @Phone WHERE (([UserName] = @Original_UserName) AND ([Password] = @Original_Password) AND ((@IsNull_Email = 1 AND [Email] IS NULL) OR ([Email] = @Original_Email)) AND ((@IsNull_Occupation = 1 AND [Occupation] IS NULL) OR ([Occupation] = @Original_Occupation)) AND ((@IsNull_Phone = 1 AND [Phone] IS NULL) OR ([Phone] = @Original_Phone)));
              Source: YTLFsQdK4Hb0Qse.exeVirustotal: Detection: 9%
              Source: YTLFsQdK4Hb0Qse.exeReversingLabs: Detection: 16%
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile read: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe 'C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess created: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: YTLFsQdK4Hb0Qse.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: YTLFsQdK4Hb0Qse.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: YTLFsQdK4Hb0Qse.exeStatic file information: File size 1142272 > 1048576
              Source: YTLFsQdK4Hb0Qse.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x112800
              Source: YTLFsQdK4Hb0Qse.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0195CF91 push esp; iretd 3_2_0195CF9D
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06708354 push es; ret 3_2_067084F0
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06708354 push es; ret 3_2_06708588
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06708354 push es; ret 3_2_067085D4
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06708354 push es; ret 3_2_06708620
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06708354 push es; ret 3_2_0670866C
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06708C04 push 8BFFFFFFh; retf 3_2_06708C10
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0673C223 push es; iretd 3_2_0673C224
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_0673C17F push es; iretd 3_2_0673C180
              Source: initial sampleStatic PE information: section name: .text entropy: 7.07929164099
              Source: initial sampleStatic PE information: section name: .text entropy: 7.07929164099
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile created: C:\Users\user\AppData\Roaming\okvgshcBLHCVID.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp'
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.227485511.0000000002569000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: YTLFsQdK4Hb0Qse.exe PID: 6572, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWindow / User API: threadDelayed 818Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 6576Thread sleep time: -53119s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 6596Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 6160Thread sleep count: 71 > 30Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 6160Thread sleep count: 818 > 30Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -59282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -58594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -57782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -57094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -56688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -55782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -55594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -55094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -54688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -81750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -54000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -80391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -52688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -52500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -52282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -51188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -51000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -50782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -50094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -49688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -49188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -49000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -48782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -48594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -48094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -47688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -47188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -46782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -46594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -46094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -45688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -68250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -45282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -44594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -44188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -43688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -43282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -43094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -42188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -63000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -41282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -40188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -40000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -39782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -39594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -39094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -38500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -38282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -37188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -36094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -35188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -52173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -34282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -47250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -46923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -31000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -30188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -58876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -38094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -37688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -37500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -37000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -35876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe TID: 7152Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeLast function: Thread delayed
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
              Source: YTLFsQdK4Hb0Qse.exe, 00000000.00000002.227274995.00000000024D1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeCode function: 3_2_06700450 LdrInitializeThunk,3_2_06700450
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\okvgshcBLHCVID' /XML 'C:\Users\user\AppData\Local\Temp\tmp29A6.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeProcess created: C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exe C:\Users\user\Desktop\YTLFsQdK4Hb0Qse.exeJump to behavior
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.482696849.0000000001D00000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.482696849.0000000001D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.482696849.0000000001D00000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: YTLFsQdK4Hb0Qse.exe, 00000003.00000002.482696849.0000000001D00000.00000002.00000001.sdmpBinary or memory string: Progmanlock