Windows Analysis Report
yhYrGCKq9s.exe

Overview

General Information

Sample name: yhYrGCKq9s.exe
renamed because original name is a hash value
Original sample name: 06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437.exe
Analysis ID: 1555762
MD5: 67b0d57e74adeef2f15582f95c9d5c43
SHA1: 4d359d98992b6ee3b47aa7667fcd74d25ca715bd
SHA256: 06e81f5bb3b70ddd48d4711afd1f75776bc1e28e787ffd5dab9459083796f437
Tags: 91-202-233-18exeuser-JAMESWT_MHT
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yhYrGCKq9s.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.2% probability
Uses 32bit PE files
Source: yhYrGCKq9s.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: yhYrGCKq9s.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000012.00000000.2289258629.0000000000022000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.17.dr, RegAsm.exe.11.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000012.00000000.2289258629.0000000000022000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.17.dr, RegAsm.exe.11.dr
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182431 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182431\ Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49763 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49851 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49804 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49902 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49952 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49986 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49987 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49988 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49991 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49983 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49992 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49993 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49994 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49995 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49996 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49998 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49989 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49990 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50000 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49997 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50001 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50002 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50003 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50004 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50005 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:49999 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50007 -> 91.202.233.18:15647
Source: Network traffic Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.5:50006 -> 91.202.233.18:15647
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 91.202.233.18 ports 1,4,5,6,7,15647
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49763 -> 91.202.233.18:15647
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49907
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: NHjARYrTsivtAmbTasWzHG.NHjARYrTsivtAmbTasWzHG replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.18
Source: global traffic DNS traffic detected: DNS query: NHjARYrTsivtAmbTasWzHG.NHjARYrTsivtAmbTasWzHG
Source: yhYrGCKq9s.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: yhYrGCKq9s.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: yhYrGCKq9s.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: yhYrGCKq9s.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: yhYrGCKq9s.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: yhYrGCKq9s.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: yhYrGCKq9s.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: yhYrGCKq9s.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: yhYrGCKq9s.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: yhYrGCKq9s.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: yhYrGCKq9s.exe String found in binary or memory: http://ocsp.digicert.com0
Source: yhYrGCKq9s.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: yhYrGCKq9s.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: yhYrGCKq9s.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000000.2087091650.00000000007A5000.00000002.00000001.01000000.00000006.sdmp, PulsePlay.scr, 00000011.00000000.2213211513.00000000009A5000.00000002.00000001.01000000.00000008.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: yhYrGCKq9s.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000014.00000002.2451274687.0000000003211000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/wikwTRQc
Source: RegAsm.exe, 00000014.00000002.2451274687.0000000003211000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/wikwTRQcPO
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: PulsePlay.scr.11.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2093288761.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2252847893.0000000003692000.00000004.00000020.00020000.00000000.sdmp, Marina.0.dr, Vertical.pif.2.dr, PulsePlay.scr.11.dr String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Consequences entropy: 7.99797996464 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Pi entropy: 7.9978428933 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Instrument entropy: 7.99670962112 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Bytes entropy: 7.99790163638 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Pt entropy: 7.99779865692 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Gel entropy: 7.99796287976 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Crude entropy: 7.99784854047 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Variations entropy: 7.99543595472 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Including entropy: 7.99810452545 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Cindy entropy: 7.99757579313 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Personally entropy: 7.9969956707 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Passion entropy: 7.9980798204 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Dairy entropy: 7.99796598234 Jump to dropped file
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\Midlands entropy: 7.99709130667 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\182431\d entropy: 7.99984884161 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif File created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\B entropy: 7.99984884161 Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 20.2.RegAsm.exe.1300000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_00403883
Creates files inside the system directory
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Windows\ObjectBalance Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Windows\AvailableAir Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Windows\ReturnMighty Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Windows\SexoDestroy Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Windows\PromotesWaterproof Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004074BB 0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139D110 19_2_0139D110
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139B01F 19_2_0139B01F
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_01391070 19_2_01391070
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_013915E0 19_2_013915E0
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139C880 19_2_0139C880
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139BD78 19_2_0139BD78
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_01391060 19_2_01391060
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139B09E 19_2_0139B09E
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139D0F3 19_2_0139D0F3
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_013915C3 19_2_013915C3
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139A908 19_2_0139A908
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139A8F9 19_2_0139A8F9
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139BD45 19_2_0139BD45
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_057315E0 20_2_057315E0
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_05731070 20_2_05731070
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_0573B01F 20_2_0573B01F
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_057315C3 20_2_057315C3
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_05731060 20_2_05731060
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_0573B09E 20_2_0573B09E
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_0573BD78 20_2_0573BD78
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_0573BD45 20_2_0573BD45
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Code function: 20_2_0573A908 20_2_0573A908
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: String function: 004062A3 appears 58 times
Sample file is different than original file name gathered from version info
Source: yhYrGCKq9s.exe, 00000000.00000002.2110746163.00000000008D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs yhYrGCKq9s.exe
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeP vs yhYrGCKq9s.exe
Source: yhYrGCKq9s.exe, 00000000.00000003.2110045569.00000000008D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs yhYrGCKq9s.exe
Uses 32bit PE files
Source: yhYrGCKq9s.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 20.2.RegAsm.exe.1300000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: classification engine Classification label: mal100.rans.troj.expl.evad.winEXE@34/27@3/1
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif File created: C:\Users\user\AppData\Local\FitTech Pulse Solutions Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\5efef9cbb8964d2f8d1371170c089ec6
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File created: C:\Users\user\AppData\Local\Temp\nsv1137.tmp Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Updated Updated.bat & Updated.bat
Source: yhYrGCKq9s.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yhYrGCKq9s.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe File read: C:\Users\user\Desktop\yhYrGCKq9s.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yhYrGCKq9s.exe "C:\Users\user\Desktop\yhYrGCKq9s.exe"
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Updated Updated.bat & Updated.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182431
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranslateTileAuthorsPerhaps" Intervention
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Crude + ..\Cindy + ..\Dairy + ..\Gel + ..\Midlands + ..\Personally + ..\Pi + ..\Bytes + ..\Consequences + ..\Passion + ..\Pt + ..\Instrument + ..\Including + ..\Variations d
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Vertical.pif d
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & echo URL="C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr "C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr" "C:\Users\user\AppData\Local\FitTech Pulse Solutions\B"
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Process created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe "C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe"
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Updated Updated.bat & Updated.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182431 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranslateTileAuthorsPerhaps" Intervention Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Crude + ..\Cindy + ..\Dairy + ..\Gel + ..\Midlands + ..\Personally + ..\Pi + ..\Bytes + ..\Consequences + ..\Passion + ..\Pt + ..\Instrument + ..\Including + ..\Variations d Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Vertical.pif d Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & echo URL="C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr "C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr" "C:\Users\user\AppData\Local\FitTech Pulse Solutions\B" Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Process created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe "C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: yhYrGCKq9s.exe Static file information: File size 4194328 > 1048576
Source: yhYrGCKq9s.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000012.00000000.2289258629.0000000000022000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.17.dr, RegAsm.exe.11.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000012.00000000.2289258629.0000000000022000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.17.dr, RegAsm.exe.11.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
PE file contains an invalid checksum
Source: yhYrGCKq9s.exe Static PE information: real checksum: 0x191eb5 should be: 0x4044d6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Code function: 19_2_0139EC5D push eax; iretd 19_2_0139EC5E

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif File created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif File created: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif File created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Jump to dropped file
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr File created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PulsePlay.url Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Memory allocated: 1390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Memory allocated: 3000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Memory allocated: 5000000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Memory allocated: 3210000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Memory allocated: 3210000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Memory allocated: 5210000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Window / User API: threadDelayed 2157 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Window / User API: threadDelayed 7635 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -24903104499507879s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -54553s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 5244 Thread sleep count: 2157 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59872s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -59975s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59763s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 5244 Thread sleep count: 7635 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -43930s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59525s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -35172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -50180s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -46716s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -45482s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -59093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58983s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -31000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -56417s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58417s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -32628s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -30349s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -40064s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -58093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -49021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -36015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -40556s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -51257s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -40647s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -59529s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -57000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -45001s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56779s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -35697s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -32218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -39150s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56343s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -56121s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -43258s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55980s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55856s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55746s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -30836s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -55161s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -42481s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -51113s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -55093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -34016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -54984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -54875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -54765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -57792s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -54656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -54546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 4308 Thread sleep time: -45825s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe TID: 6084 Thread sleep time: -54437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe TID: 3656 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 54553 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59872 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59975 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59763 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 43930 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59525 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 35172 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 50180 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 46716 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 45482 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58983 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 31000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56417 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58417 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 32628 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 30349 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 40064 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 58093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 49021 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 36015 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 40556 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 51257 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 40647 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57218 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 59529 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57109 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 45001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56890 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56779 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56671 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 35697 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56562 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 32218 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 39150 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56343 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 56121 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 43258 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55980 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55856 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55746 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 30836 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55161 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 42481 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 51113 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 55093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 34016 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 54984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 54875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 54765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 57792 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 54656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 54546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 45825 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Thread delayed: delay time: 54437 Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182431 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\182431\ Jump to behavior
Source: RegAsm.exe, 00000013.00000002.4505055866.0000000001440000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Memory written: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe base: 1020000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Memory written: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe base: 1300000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Memory written: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe base: 1020000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Memory written: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe base: E45000 Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Memory written: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe base: 1300000 Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Memory written: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe base: 10CD000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Updated Updated.bat & Updated.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 182431 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranslateTileAuthorsPerhaps" Intervention Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Crude + ..\Cindy + ..\Dairy + ..\Gel + ..\Midlands + ..\Personally + ..\Pi + ..\Bytes + ..\Consequences + ..\Passion + ..\Pt + ..\Instrument + ..\Including + ..\Variations d Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Vertical.pif d Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr "C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr" "C:\Users\user\AppData\Local\FitTech Pulse Solutions\B" Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\PulsePlay.scr Process created: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe "C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\pulseplay.url" & echo url="c:\users\user\appdata\local\fittech pulse solutions\pulseplay.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\pulseplay.url" & exit
Source: C:\Users\user\AppData\Local\Temp\182431\Vertical.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\pulseplay.url" & echo url="c:\users\user\appdata\local\fittech pulse solutions\pulseplay.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\pulseplay.url" & exit Jump to behavior
Source: yhYrGCKq9s.exe, 00000000.00000003.2051815393.0000000002BBB000.00000004.00000020.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000003.2092923397.0000000003D01000.00000004.00000800.00020000.00000000.sdmp, Vertical.pif, 0000000B.00000000.2086939118.0000000000793000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\182431\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\FitTech Pulse Solutions\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\yhYrGCKq9s.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 20.2.RegAsm.exe.1300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2450417392.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1632, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 20.2.RegAsm.exe.1300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2450417392.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1632, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 20.2.RegAsm.exe.1300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2450417392.0000000001302000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1632, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555762 Sample: yhYrGCKq9s.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 100 68 NHjARYrTsivtAmbTasWzHG.NHjARYrTsivtAmbTasWzHG 2->68 80 Suricata IDS alerts for network traffic 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 7 other signatures 2->86 10 yhYrGCKq9s.exe 30 2->10         started        14 wscript.exe 1 2->14         started        signatures3 process4 file5 60 C:\Users\user\AppData\Local\Temp\Variations, data 10->60 dropped 62 C:\Users\user\AppData\Local\Temp\Pt, data 10->62 dropped 64 C:\Users\user\AppData\Local\Temp\Pi, data 10->64 dropped 66 11 other malicious files 10->66 dropped 96 Writes many files with high entropy 10->96 16 cmd.exe 3 10->16         started        98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->98 100 Suspicious execution chain found 14->100 20 PulsePlay.scr 1 14->20         started        signatures6 process7 file8 44 C:\Users\user\AppData\Local\...\Vertical.pif, PE32 16->44 dropped 72 Drops PE files with a suspicious file extension 16->72 74 Writes many files with high entropy 16->74 22 Vertical.pif 5 16->22         started        26 cmd.exe 2 16->26         started        28 conhost.exe 16->28         started        32 7 other processes 16->32 46 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 20->46 dropped 76 Writes to foreign memory regions 20->76 78 Injects a PE file into a foreign processes 20->78 30 RegAsm.exe 20->30         started        signatures9 process10 file11 50 C:\Users\user\AppData\Local\...\PulsePlay.scr, PE32 22->50 dropped 52 C:\Users\user\AppData\Local\...\PulsePlay.js, ASCII 22->52 dropped 54 C:\Users\user\AppData\Local\...\B, data 22->54 dropped 56 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 22->56 dropped 88 Drops PE files with a suspicious file extension 22->88 90 Writes to foreign memory regions 22->90 92 Writes many files with high entropy 22->92 94 Injects a PE file into a foreign processes 22->94 34 RegAsm.exe 2 22->34         started        37 cmd.exe 2 22->37         started        40 RegAsm.exe 22->40         started        58 C:\Users\user\AppData\Local\Temp\182431\d, data 26->58 dropped signatures12 process13 dnsIp14 70 91.202.233.18, 15647, 49763, 49804 M247GB Russian Federation 34->70 48 C:\Users\user\AppData\...\PulsePlay.url, MS 37->48 dropped 42 conhost.exe 37->42         started        file15 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.202.233.18
 unknown Russian Federation
9009 M247GB true

Contacted Domains

Name IP Active
NHjARYrTsivtAmbTasWzHG.NHjARYrTsivtAmbTasWzHG unknown unknown