Edit tour

Windows Analysis Report
YLDUi7gQi7.exe

Overview

General Information

Sample name:	YLDUi7gQi7.exe renamed because original name is a hash value
Original sample name:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66.exe
Analysis ID:	1586670
MD5:	6742e36ad0679bf1bdaa1fef3afa43b8
SHA1:	ec4291aa8a4c42074af5d24194e859138650a192
SHA256:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

YLDUi7gQi7.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\YLDUi7gQi7.exe" MD5: 6742E36AD0679BF1BDAA1FEF3AFA43B8)

WerFault.exe (PID: 7860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 1608 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YLDUi7gQi7.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: YLDUi7gQi7.exe

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: YLDUi7gQi7.exe

Joe Sandbox ML: detected

Source: YLDUi7gQi7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: YLDUi7gQi7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Drawing.pdbMZ@ source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: ImageViewer.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.pdb, source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: ImageViewer.pdb& source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb source: YLDUi7gQi7.exe
Source:	Binary string: n8C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646809448.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: YLDUi7gQi7.exe, 00000000.00000002.2646809448.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbp source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: nC:\Users\user\Desktop\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb( source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdbD source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdbesktop\YLDUi7gQi7.PDB source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: Microsoft.CSharp.pdb4 source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: esktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb- source: YLDUi7gQi7.exe, 00000000.00000002.2656405063.00000000062E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: esktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2656405063.00000000062E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb- source: YLDUi7gQi7.exe
Source:	Binary string: [symbols\exe\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbH source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdbY78 source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERFAEA.tmp.dmp.5.dr

Source: global traffic

TCP traffic: 192.168.2.5:58538 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive

Source: unknown

DNS traffic detected: query: mdfile24.theworkpc.com replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: mdfile24.theworkpc.com

Source: YLDUi7gQi7.exe, 00000000.00000002.2647411596.000000000275E000.00000004.00000800.00020000.00000000.sdmp, YLDUi7gQi7.exe, 00000000.00000002.2647411596.0000000002772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.154.37.129
Source: YLDUi7gQi7.exe, 00000000.00000002.2647411596.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.154.37.129/file/1524
Source: YLDUi7gQi7.exe	String found in binary or memory: http://94.154.37.129/file/1524Ohttp://mdfile24.theworkpc.com/file/1524
Source: YLDUi7gQi7.exe, 00000000.00000002.2647411596.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.154.37.129/file/1524P
Source: YLDUi7gQi7.exe, 00000000.00000002.2647411596.0000000002788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mdfile24.theworkpc.com
Source: YLDUi7gQi7.exe, 00000000.00000002.2647411596.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mdfile24.theworkpc.com/file/1524
Source: YLDUi7gQi7.exe, 00000000.00000002.2647411596.0000000002788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mdfile24.theworkpc.com/file/1524d
Source: YLDUi7gQi7.exe, 00000000.00000002.2647411596.000000000275E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Code function: 0_2_00C63E28

0_2_00C63E28

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 1608

Source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YLDUi7gQi7.exe
Source: YLDUi7gQi7.exe, 00000000.00000000.1992405495.000000000041A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameImageViewer.exe8 vs YLDUi7gQi7.exe
Source: YLDUi7gQi7.exe	Binary or memory string: OriginalFilenameImageViewer.exe8 vs YLDUi7gQi7.exe

Source: YLDUi7gQi7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7288

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4df49421-c91b-41b4-b71c-d618c656f60d

Jump to behavior

Source: YLDUi7gQi7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: YLDUi7gQi7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YLDUi7gQi7.exe

ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

File read: C:\Users\user\Desktop\YLDUi7gQi7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YLDUi7gQi7.exe "C:\Users\user\Desktop\YLDUi7gQi7.exe"
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 1608

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YLDUi7gQi7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YLDUi7gQi7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: YLDUi7gQi7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Drawing.pdbMZ@ source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: ImageViewer.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.pdb, source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: ImageViewer.pdb& source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb source: YLDUi7gQi7.exe
Source:	Binary string: n8C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646809448.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: YLDUi7gQi7.exe, 00000000.00000002.2646809448.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdbp source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: nC:\Users\user\Desktop\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb( source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdbD source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdbesktop\YLDUi7gQi7.PDB source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: Microsoft.CSharp.pdb4 source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: esktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb- source: YLDUi7gQi7.exe, 00000000.00000002.2656405063.00000000062E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: esktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2656405063.00000000062E0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb- source: YLDUi7gQi7.exe
Source:	Binary string: [symbols\exe\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.2645927139.00000000005B7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbH source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERFAEA.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdbY78 source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERFAEA.tmp.dmp.5.dr

Source: YLDUi7gQi7.exe

Static PE information: 0xE3B04AF9 [Thu Jan 18 17:59:21 2091 UTC]

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C6A689 pushfd ; ret	0_2_00C6A696
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C64659 push edx; retn 0004h	0_2_00C6465A
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C647B1 push esi; retn 0004h	0_2_00C647B2
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C64778 push ebp; retn 0004h	0_2_00C6477A
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C6CA71 pushfd ; ret	0_2_00C6CA7E
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C6D381 push cs; ret	0_2_00C6D38E
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C6D4C0 push cs; ret	0_2_00C6D4CE
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C6D469 push cs; ret	0_2_00C6D476
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C6D5E8 push es; ret	0_2_00C6D5F6
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C6BD08 push edx; ret	0_2_00C6BD17
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00C65E93 pushfd ; ret	0_2_00C65F26

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Memory allocated: C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Memory allocated: 46F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598371	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598221	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595664	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595135	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594904	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594357	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Window / User API: threadDelayed 7444			Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Window / User API: threadDelayed 2392			Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7668	Thread sleep count: 7444 > 30	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7668	Thread sleep count: 2392 > 30	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598371s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598221s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597638s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596233s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595664s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595135s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -594904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -594766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -594468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -594357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 7660	Thread sleep time: -593735s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598719	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598371	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598221	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597638	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596688	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595664	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595135	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594904	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594766	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594468	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594357	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 593735	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: YLDUi7gQi7.exe, 00000000.00000002.2646544849.0000000000A31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Users\user\Desktop\YLDUi7gQi7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
YLDUi7gQi7.exe	79%	ReversingLabs	Win32.Trojan.Acll
YLDUi7gQi7.exe	100%	Avira	HEUR/AGEN.1351365
YLDUi7gQi7.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.154.37.129/file/1524P	0%	Avira URL Cloud	safe
http://mdfile24.theworkpc.com/file/1524d	0%	Avira URL Cloud	safe
http://mdfile24.theworkpc.com/file/1524	0%	Avira URL Cloud	safe
http://94.154.37.129	0%	Avira URL Cloud	safe
http://94.154.37.129/file/1524	0%	Avira URL Cloud	safe
http://mdfile24.theworkpc.com	0%	Avira URL Cloud	safe
http://94.154.37.129/file/1524Ohttp://mdfile24.theworkpc.com/file/1524	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mdfile24.theworkpc.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://94.154.37.129/file/1524	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.154.37.129	YLDUi7gQi7.exe, 00000000.00000002.2647411596.000000000275E000.00000004.00000800.00020000.00000000.sdmp, YLDUi7gQi7.exe, 00000000.00000002.2647411596.0000000002772000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://94.154.37.129/file/1524Ohttp://mdfile24.theworkpc.com/file/1524	YLDUi7gQi7.exe	false	Avira URL Cloud: safe	unknown
http://94.154.37.129/file/1524P	YLDUi7gQi7.exe, 00000000.00000002.2647411596.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mdfile24.theworkpc.com	YLDUi7gQi7.exe, 00000000.00000002.2647411596.0000000002788000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	YLDUi7gQi7.exe, 00000000.00000002.2647411596.000000000275E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mdfile24.theworkpc.com/file/1524d	YLDUi7gQi7.exe, 00000000.00000002.2647411596.0000000002788000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mdfile24.theworkpc.com/file/1524	YLDUi7gQi7.exe, 00000000.00000002.2647411596.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.154.37.129	unknown	Ukraine		12695	DINET-ASRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586670
Start date and time:	2025-01-09 13:36:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YLDUi7gQi7.exe renamed because original name is a hash value
Original Sample Name:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66.exe
Detection:	MAL
Classification:	mal64.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 11 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 4.175.87.197, 13.107.246.45, 20.190.159.2
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: YLDUi7gQi7.exe

Simulations

Behavior and APIs

Time	Type	Description
07:37:13	API Interceptor	192x Sleep call for process: YLDUi7gQi7.exe modified
07:37:57	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DINET-ASRU	mmbasic.exe	Get hash	malicious	Unknown	Browse	89.208.236.251
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	95.163.84.7
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	95.163.84.7
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	95.163.84.7
	nsharm7.elf	Get hash	malicious	Mirai	Browse	213.248.5.162
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	213.248.44.211
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	85.192.49.117
	bot.spc.elf	Get hash	malicious	Mirai	Browse	85.196.7.237
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	45.151.37.25
	https://link.mail.beehiiv.com/ls/click?upn=u001.R74aO5UQ-2FrUOGP4XJV77OKQT1NAU9BwQ6OP1zvOna2j3qRTjcdTYAqprTXNbU1vrKPOdnlpDlbO1ohrNKAkzUmdLI4l19yBq8cKvYb8dsNKK6IsO0404WADpCgMHJK-2BM7ePj1I7t27EBUyeaiqRuwqngyTjrFDMwzKEm6VF8ExY0iFbvMWKjDk4Y7upRdq5sSY4nXTsFeij7Q5E2ydkS65V1Y39RLDjY80Udth17NgVFYK9r3RCAH09UYk2CIjxFd5I9_j6TOopR0rmB-2FAe-2FAtMIxxpgCP1uVymDZ2Ai3kvTmy94R9Cva2dqhTbcrX0jwqqIbWEZoY75Qxv0d-2Fi-2BJ58G8TpFK32hJ3Y6KvVmw024fgWikUvw7JSpe1p1AxJouHIwzH-2B4WSy6DMsQxGcoT2TOfGxh3ObD4vtK9CAXwy7Cjhf2-2FwG571nv3bia-2F44CMLr9lsCQcs3SwvYIDQ24Nq6VfvIfUFJ9nNyI7I5MS5J8-2Bg5rLnAjlWoLmJBScJaNhqffuqYHWE3BYOKju8i7o1wD6Pw-2Fs92sFC2Mh7Oi9oheY1ZKD714qAu5jG5ZYhyhfMgCcuyNvp15ZI4Srd3AOfDL686JQJNBXoqAuLGHc3y6muY0dxN9oNJrp8vksovnjs-2Be8S30MoUUfcAPp8UPZjIomKd3EBkrVIa3k8AgkBS-2BZFp3F1x23PdTLWCU-2BZmxkQxWt	Get hash	malicious	Unknown	Browse	79.137.248.152

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLDUi7gQi7.exe_e2efadd0c07588203588e69e8168810594cd21f_320da828_70c98961-f58c-4cb1-83d1-f842bf893c1a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1135940497329162
Encrypted:	false
SSDEEP:	192:C0o85NxZ0BU/6aGOJo5e9zuiFciXZ24IO8EH:loKNcBU/6ahwazuiFciXY4IO8EH
MD5:	55376C24A5C13BCABF68BA9FBFB5DA6E
SHA1:	F6761F8FA77C2DF947374A5C4D61BABF7336B6B4
SHA-256:	0F8E6419B7AA04E91056DA4FBBBEF0F9A232FEFDBFA2CC2E175E09B6FFE666B7
SHA-512:	382577656F572A5CF6B12265A8950326EE1F46A902EB4D179DE0C9BF8DE450A23999A6F0955C8D8972BAF73342DBADED772C0EE331D5F30DB1EB9D3CDD9C8C62
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.9.9.8.5.7.7.2.6.4.2.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.9.9.8.5.8.2.7.3.2.8.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.c.9.8.9.6.1.-.f.5.8.c.-.4.c.b.1.-.8.3.d.1.-.f.8.4.2.b.f.8.9.3.c.1.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.8.9.7.c.f.8.-.d.e.a.2.-.4.c.d.b.-.9.2.4.0.-.d.2.7.7.7.1.0.5.7.1.a.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.D.U.i.7.g.Q.i.7...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.m.a.g.e.V.i.e.w.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.7.8.-.0.0.0.1.-.0.0.1.4.-.6.6.3.d.-.a.e.2.8.9.3.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.c.2.c.4.b.4.a.0.7.f.6.2.6.e.7.5.f.b.7.7.d.1.2.5.f.b.1.b.e.9.8.0.0.0.0.0.0.0.0.!.0.0.0.0.e.c.4.2.9.1.a.a.8.a.4.c.4.2.0.7.4.a.f.5.d.2.4.1.9.4.e.8.5.9.1.3.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAEA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 12:37:38 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	322255
Entropy (8bit):	3.6892628275874704
Encrypted:	false
SSDEEP:	3072:kygo5IzGyM4uEqtXDnqLTgX85DamCxpk5wkL:kygoEGyM4+XDITghmQ
MD5:	01AFAA56CEB31FC77EA3A2D21360C47E
SHA1:	7CE1B2735A36D291CA1BD21623D1CABD8F7D63DA
SHA-256:	EBEC74ADCC62F5BA3E5AD9310E5A2D8163CCADA821AEF04D5DE2D85A49579D7B
SHA-512:	43DC8C65D0ED0B6D1D7BF67EDCB8A9E9743C8652A5323CB40765BBDAE7409C3D926767F122CCBAABEB1FFE7C90F41C31D3C3451A14215A8EBCBDB8AF554AC3B4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g........................p...........<....%.......(..0`..........`.......8...........T............?..............%...........'..............................................................................eJ......H(......GenuineIntel............T.......x......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC71.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8410
Entropy (8bit):	3.6961208436422943
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+W6TTLoe6YEImSUN07gmfZdV0prg89bzNsfPRm:R6lXJH6TZ6YEpSUC7gmfp0zGfE
MD5:	2F2567AF52BC5425F14138DA6AACA5B0
SHA1:	D290627D1759D8B38E1E6E823C8A4730C1FCE3F7
SHA-256:	E9659C1E0CE1A5DF67C78D65F669C9E784F6BBD7248E1D965F97A2A2F1551745
SHA-512:	B03C778B2FDC6D48F8D020D0C3D3A77C5539C1B69E7B622323A6283D68F6DB732EFDE6FD9263FD34B80A641A6B19C4594198F8B774CDD09CF5FE5528D33C5F81
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC92.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4748
Entropy (8bit):	4.476909567197126
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI91CWpW8VY/YYm8M4JanFL+q8vSbcn0jMNcd:uIjflI7LD7VAJAKPbNcd
MD5:	C4179D69655526C05A9D04635CCCDDFE
SHA1:	99E089374EFA7F226B855E9A05BA32A334EC44DF
SHA-256:	B14984E77B3739B77CC9BD990D6C90DCF29570DC20C10745D1626A149E6197C9
SHA-512:	60F58E298C4C56DD70C01678663278A9B203F6F01FE9A1D8F93701FD775D77008D760061CB70E5FCBB17AEAF1A31F4D27ECB10DE2B36B6D900B3AC6D09773373
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668380" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421710268909629
Encrypted:	false
SSDEEP:	6144:WSvfpi6ceLP/9skLmb0OTYWSPHaJG8nAgeMZMMhA2fX4WABlEnN70uhiTw:1vloTYW+EZMM6DFy503w
MD5:	B011C1D4267656F22C9896CC6C449121
SHA1:	D5842F5B384A35D93D2FBF9E69725C8A1E36F57E
SHA-256:	960022BBBED22F05CAC26182581C7611330F08D05A41AF5A6D948B2D85130D8B
SHA-512:	9D91E42E5F574B105567C58C9B81270D0479181AB4855FCD9E2FA42E45DB48B68B25F52C8B5E1A8F5E5AE9C1D624855426A168BC586A0548FECE8BE7E4B8EDD7
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.).C.b................................................................................................................................................................................................................................................................................................................................................w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.660844052428411
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	YLDUi7gQi7.exe
File size:	44'032 bytes
MD5:	6742e36ad0679bf1bdaa1fef3afa43b8
SHA1:	ec4291aa8a4c42074af5d24194e859138650a192
SHA256:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66
SHA512:	3545a3e003c6683aa503af4128ec91f3ba8e22435ca4ade2d73aa8a7261b4e97df2b352f319d13a211ff841de7081c7e212ccc8c17efc538e2715447835a135b
SSDEEP:	768:aZTnFLYzyaPVzlIFfSCoojXAD5MeEsw8PfgGqpIP:aZDatzlmuCYIGqpC
TLSH:	50136C1222EC4325C23A2BF338A36B211731AD4DD997D75894CAEBED39E378047427E5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J................0..d...F......Z.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	5da4ed8cb48d540d

Static PE Info

General

Entrypoint:	0x40825a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3B04AF9 [Thu Jan 18 17:59:21 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8205	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x43b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8164	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6260	0x6400	f04f7fb00e3f50183ef1be6fbd8eb9c9	False	0.404609375	data	5.4751341010778125	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x43b8	0x4400	a211b975f7747e74ce91b1cb5890cb6a	False	0.9281939338235294	data	7.820911984198312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	136ff3f80437692287283b25d52d3e6c	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa100	0x3d56	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.977009298178576
RT_GROUP_ICON	0xde68	0x14	data	1.05
RT_VERSION	0xde8c	0x32c	data	0.4236453201970443
RT_MANIFEST	0xe1c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:36:52.885409117 CET	49704	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:36:52.890642881 CET	80	49704	94.154.37.129	192.168.2.5
Jan 9, 2025 13:36:52.890739918 CET	49704	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:36:52.891304016 CET	49704	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:36:52.896208048 CET	80	49704	94.154.37.129	192.168.2.5
Jan 9, 2025 13:37:14.304671049 CET	80	49704	94.154.37.129	192.168.2.5
Jan 9, 2025 13:37:14.304845095 CET	49704	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:37:14.313514948 CET	49704	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:37:14.315821886 CET	49709	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:37:14.318973064 CET	80	49704	94.154.37.129	192.168.2.5
Jan 9, 2025 13:37:14.321268082 CET	80	49709	94.154.37.129	192.168.2.5
Jan 9, 2025 13:37:14.321355104 CET	49709	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:37:14.321470976 CET	49709	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:37:14.326776981 CET	80	49709	94.154.37.129	192.168.2.5
Jan 9, 2025 13:37:20.453860998 CET	58538	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:37:20.458741903 CET	53	58538	1.1.1.1	192.168.2.5
Jan 9, 2025 13:37:20.458816051 CET	58538	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:37:20.463804007 CET	53	58538	1.1.1.1	192.168.2.5
Jan 9, 2025 13:37:20.929866076 CET	58538	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:37:20.934884071 CET	53	58538	1.1.1.1	192.168.2.5
Jan 9, 2025 13:37:20.934958935 CET	58538	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:37:35.694808960 CET	80	49709	94.154.37.129	192.168.2.5
Jan 9, 2025 13:37:35.694889069 CET	49709	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:37:35.695065022 CET	49709	80	192.168.2.5	94.154.37.129
Jan 9, 2025 13:37:35.699929953 CET	80	49709	94.154.37.129	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:37:20.451123953 CET	53	53295	1.1.1.1	192.168.2.5
Jan 9, 2025 13:37:35.713650942 CET	61592	53	192.168.2.5	1.1.1.1
Jan 9, 2025 13:37:35.999577045 CET	53	61592	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 13:37:35.713650942 CET	192.168.2.5	1.1.1.1	0x2c43	Standard query (0)	mdfile24.theworkpc.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 13:37:35.999577045 CET	1.1.1.1	192.168.2.5	0x2c43	Name error (3)	mdfile24.theworkpc.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

94.154.37.129

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	94.154.37.129	80	7288	C:\Users\user\Desktop\YLDUi7gQi7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 13:36:52.891304016 CET	72	OUT	GET /file/1524 HTTP/1.1 Host: 94.154.37.129 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	94.154.37.129	80	7288	C:\Users\user\Desktop\YLDUi7gQi7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 13:37:14.321470976 CET	72	OUT	GET /file/1524 HTTP/1.1 Host: 94.154.37.129 Connection: Keep-Alive

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: YLDUi7gQi7.exePID: 7288, Parent PID: 1028

General

Target ID:	0
Start time:	07:36:51
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\YLDUi7gQi7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YLDUi7gQi7.exe"
Imagebase:	0x410000
File size:	44'032 bytes
MD5 hash:	6742E36AD0679BF1BDAA1FEF3AFA43B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7860, Parent PID: 7288

General

Target ID:	5
Start time:	07:37:36
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7288 -s 1608
Imagebase:	0x890000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: YLDUi7gQi7.exePID: 7288, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	1

Executed Functions

Function 00C63E28 Relevance: 3.3, Strings: 2, Instructions: 805
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S, xrefs: 00C67864
*, xrefs: 00C67451

Memory Dump Source

Source File: 00000000.00000002.2647107131.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID: *$S
API String ID: 0-3373398988
Opcode ID: 2a01ab4ad6d038cb953c9fee98febab5f11f94b83742055853d625e97f15dc6a
Instruction ID: 95b8b45f3fdf79201b4a79d53110c51a457f677adba9ab8994cde0966bb26974
Opcode Fuzzy Hash: 2a01ab4ad6d038cb953c9fee98febab5f11f94b83742055853d625e97f15dc6a
Instruction Fuzzy Hash: 12925178D012298FDB65DF69D984B9DBBB2FB88300F1081EA990DA7355DB315E81DF40

Function 00C6C0F9 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C6C35E

Memory Dump Source

Source File: 00000000.00000002.2647107131.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_YLDUi7gQi7.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8941bfb2a090f183057d53abba38999cb3d137150c72675150916661466cbd66
Instruction ID: 2d9887e3c19f8e0a1ff458f8a5ce274b826e62e05745353f1e10bbdf552b6fd4
Opcode Fuzzy Hash: 8941bfb2a090f183057d53abba38999cb3d137150c72675150916661466cbd66
Instruction Fuzzy Hash: B68145B0A00B458FD724CF69D49076ABBF1FF88300F008A2DD49AD7A51D775EA45CB90

Function 00C644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C659C9

Memory Dump Source

Source File: 00000000.00000002.2647107131.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_YLDUi7gQi7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1f6f3a30b333862071a9d84db6b3606755de99f1a9345feea43512c0b1217366
Instruction ID: b01da0c4083ac85b49565b685f943917beff411e262523ce994281410ac8f7d1
Opcode Fuzzy Hash: 1f6f3a30b333862071a9d84db6b3606755de99f1a9345feea43512c0b1217366
Instruction Fuzzy Hash: 2A41C2B1D0071DCBDB24CFA9C884B9DBBF5BF49304F20816AD409AB255DBB56946CF90

Function 00C65913 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C659C9

Memory Dump Source

Source File: 00000000.00000002.2647107131.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_YLDUi7gQi7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d8ff998c575a3fda60288749af583350237d0bff5b6805103b19796a0f8d58ee
Instruction ID: 1f12dbde4c8f4ec9aa2514b82ca3dc0adf02f4818dacf4729c968cec89f37652
Opcode Fuzzy Hash: d8ff998c575a3fda60288749af583350237d0bff5b6805103b19796a0f8d58ee
Instruction Fuzzy Hash: 8541E0B0C0071DCBDB24CFA9C884B9DBBF5BF48304F24816AD418AB255DBB5694ACF50

Function 00C6C0E8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C6E2C6,?,?,?,?,?), ref: 00C6E78F

Memory Dump Source

Source File: 00000000.00000002.2647107131.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_YLDUi7gQi7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3b6b612e413dfe566883b1bbd733cf7a34dd8b0abfd4438f9ad3d02fdd1e3dbc
Instruction ID: 1383b0a5c01669954e3e0842022709f6c3a13c6871da1f27f0e642adc285815a
Opcode Fuzzy Hash: 3b6b612e413dfe566883b1bbd733cf7a34dd8b0abfd4438f9ad3d02fdd1e3dbc
Instruction Fuzzy Hash: C721E4B5900248AFDB10CF9AD984AEEBFF8FB48320F14841AE914A7310D374A954DFA4

Function 00C6E700 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C6E2C6,?,?,?,?,?), ref: 00C6E78F

Memory Dump Source

Source File: 00000000.00000002.2647107131.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_YLDUi7gQi7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 79c320913cfae53e02b73c7104a002493f1b70faa5d7b28e5c2b84b02ffd7885
Instruction ID: ba75642f80180755365726b6e5331adc1b053b78f1777300b77f3ed9eef5a07e
Opcode Fuzzy Hash: 79c320913cfae53e02b73c7104a002493f1b70faa5d7b28e5c2b84b02ffd7885
Instruction Fuzzy Hash: 5921F5B9900249DFDB10CFA9D584ADEBFF5FB48320F14841AE918A3350D378AA54CF65

Function 00C6C2F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C6C35E

Memory Dump Source

Source File: 00000000.00000002.2647107131.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c60000_YLDUi7gQi7.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 652f8fcfe641814750a0b14dc30c2b428046e1d95c71b73aafd80aadca3c9300
Instruction ID: 85bc54a84ae3ec8bbb73a94b87b6a10b74386bb7ae68fc6954f6744727d5ca8f
Opcode Fuzzy Hash: 652f8fcfe641814750a0b14dc30c2b428046e1d95c71b73aafd80aadca3c9300
Instruction Fuzzy Hash: 6911D2B6C006498FCB20CF9AC484ADEFBF4EB88324F14C52AD469A7210C379A545CFA5

Function 009ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646521648.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81f6a4392fe2442055a0ac85390bbb912d08a65c65345bb367f59f0a46b0885
Instruction ID: ba3a0d8df60c15f3ec6cce92d1b97ff6591a1511456640126fdfae947dffe11c
Opcode Fuzzy Hash: a81f6a4392fe2442055a0ac85390bbb912d08a65c65345bb367f59f0a46b0885
Instruction Fuzzy Hash: FB214B71104284DFDB02DF04C9C0B16BF65FBA8324F20C568D8090B2E6D33AEC06C6A1

Function 00BFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646943974.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404246078fa47bd317a72c07ea05bbcea5f8d88aa38381ee228588f7329a2734
Instruction ID: 3dcb32e2f78a66cce8a7429734c60240c0d9a2cfc0f2fa3baf428eaf04570fe6
Opcode Fuzzy Hash: 404246078fa47bd317a72c07ea05bbcea5f8d88aa38381ee228588f7329a2734
Instruction Fuzzy Hash: 4A213771504208DFCB15DF24D9D0B26BBA6FB84314F20C5ADDA094B346CB3BD80BCA61

Function 00BFD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646943974.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bfd000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dde6073b165799a9488490471c5dcf3f012446b7295ac9eeb78fd9b8589e3f
Instruction ID: 7a0a0038a5e9835c80c09744d66c4ef6c77b5842cf44d1309472b689103a8ba2
Opcode Fuzzy Hash: 49dde6073b165799a9488490471c5dcf3f012446b7295ac9eeb78fd9b8589e3f
Instruction Fuzzy Hash: E821C6755093848FCB06CF20D594715BFB2EB46314F28C5EAD9498B297C33AD80ACB62

Function 009ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646521648.00000000009ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 009ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ed000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 064580762b0e923a6f9073d9524068d70a86677b9d42b783fac12c0bceefb5d0
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: D4112976404280DFDB02CF00D5C4B16BF71FBA4324F24C2A9D8090B2A6C33AD856CB91

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YLDUi7gQi7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLDUi7gQi7.exe_e2efadd0c07588203588e69e8168810594cd21f_320da828_70c98961-f58c-4cb1-83d1-f842bf893c1a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAEA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC71.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC92.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
YLDUi7gQi7.exe

Function 00C63E28 Relevance: 3.3, Strings: 2, Instructions: 805
COMMON

Function 00C6C0F9 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Function 00C644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00C65913 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Function 00C6C0E8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00C6E700 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 00C6C2F8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON