Edit tour

Windows Analysis Report
YLDUi7gQi7.exe

Overview

General Information

Sample name:	YLDUi7gQi7.exe renamed because original name is a hash value
Original sample name:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66.exe
Analysis ID:	1586670
MD5:	6742e36ad0679bf1bdaa1fef3afa43b8
SHA1:	ec4291aa8a4c42074af5d24194e859138650a192
SHA256:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66
Tags:	exeuser-adrian__luca
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

YLDUi7gQi7.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\YLDUi7gQi7.exe" MD5: 6742E36AD0679BF1BDAA1FEF3AFA43B8)

WerFault.exe (PID: 2260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YLDUi7gQi7.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: YLDUi7gQi7.exe

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: YLDUi7gQi7.exe

Joe Sandbox ML: detected

Source: YLDUi7gQi7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: YLDUi7gQi7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: ImageViewer.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ImageViewer.pdbI source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.0000000000951000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: Accessibility.pdb& source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ImageViewer.pdbp source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb source: YLDUi7gQi7.exe
Source:	Binary string: System.Configuration.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.0000000000951000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb\Desktop\YLDUi7gQi7.PDB source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP<o8C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: symbols\exe\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ImageViewer.pdbn5 source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.pdb4 source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ImageViewer.pdb\g source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbX source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdbne source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: ?HoC:\Users\user\Desktop\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb- source: YLDUi7gQi7.exe
Source:	Binary string: System.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERBDC9.tmp.dmp.6.dr

Source: global traffic

TCP traffic: 192.168.2.6:63564 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive

Source: unknown

DNS traffic detected: query: mdfile24.theworkpc.com replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	TCP traffic detected without corresponding DNS query: 94.154.37.129
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /file/1524 HTTP/1.1Host: 94.154.37.129Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: mdfile24.theworkpc.com

Source: YLDUi7gQi7.exe, 00000000.00000002.3940875770.000000000285E000.00000004.00000800.00020000.00000000.sdmp, YLDUi7gQi7.exe, 00000000.00000002.3940875770.0000000002872000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.154.37.129
Source: YLDUi7gQi7.exe, 00000000.00000002.3940875770.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.154.37.129/file/1524
Source: YLDUi7gQi7.exe	String found in binary or memory: http://94.154.37.129/file/1524Ohttp://mdfile24.theworkpc.com/file/1524
Source: YLDUi7gQi7.exe, 00000000.00000002.3940875770.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://94.154.37.129/file/1524P
Source: YLDUi7gQi7.exe, 00000000.00000002.3940875770.0000000002887000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mdfile24.theworkpc.com
Source: YLDUi7gQi7.exe, 00000000.00000002.3940875770.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mdfile24.theworkpc.com/file/1524
Source: YLDUi7gQi7.exe, 00000000.00000002.3940875770.0000000002887000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mdfile24.theworkpc.com/file/1524d
Source: YLDUi7gQi7.exe, 00000000.00000002.3940875770.000000000285E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_00E43E28	0_2_00E43E28
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_04E106A0	0_2_04E106A0
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_04E11060	0_2_04E11060
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Code function: 0_2_04E11053	0_2_04E11053

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1564

Source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.000000000091E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YLDUi7gQi7.exe
Source: YLDUi7gQi7.exe, 00000000.00000000.2086468577.00000000004CA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameImageViewer.exe8 vs YLDUi7gQi7.exe
Source: YLDUi7gQi7.exe	Binary or memory string: OriginalFilenameImageViewer.exe8 vs YLDUi7gQi7.exe

Source: YLDUi7gQi7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@2/5@1/1

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6672

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ec993c01-a449-4ead-a0c5-f15cf7c4680f

Jump to behavior

Source: YLDUi7gQi7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: YLDUi7gQi7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YLDUi7gQi7.exe

ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

File read: C:\Users\user\Desktop\YLDUi7gQi7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YLDUi7gQi7.exe "C:\Users\user\Desktop\YLDUi7gQi7.exe"
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1564

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YLDUi7gQi7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YLDUi7gQi7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: YLDUi7gQi7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: ImageViewer.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ImageViewer.pdbI source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.0000000000951000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: Accessibility.pdb& source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ImageViewer.pdbp source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb source: YLDUi7gQi7.exe
Source:	Binary string: System.Configuration.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.0000000000951000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb\Desktop\YLDUi7gQi7.PDB source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP<o8C:\Windows\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: symbols\exe\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ImageViewer.pdbn5 source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.pdb4 source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\exe\ImageViewer.pdb\g source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbX source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdbne source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: ?HoC:\Users\user\Desktop\ImageViewer.pdb source: YLDUi7gQi7.exe, 00000000.00000002.3939503115.00000000008F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\ImageViewer\ImageViewer\obj\Debug\ImageViewer.pdb- source: YLDUi7gQi7.exe
Source:	Binary string: System.ni.pdb source: WERBDC9.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERBDC9.tmp.dmp.6.dr

Source: YLDUi7gQi7.exe

Static PE information: 0xE3B04AF9 [Thu Jan 18 17:59:21 2091 UTC]

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Memory allocated: 47F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 4440	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe TID: 4440	Thread sleep time: -600000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: YLDUi7gQi7.exe, 00000000.00000002.3939528596.0000000000951000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Users\user\Desktop\YLDUi7gQi7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YLDUi7gQi7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YLDUi7gQi7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
YLDUi7gQi7.exe	79%	ReversingLabs	Win32.Trojan.Acll
YLDUi7gQi7.exe	100%	Avira	HEUR/AGEN.1351365
YLDUi7gQi7.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.154.37.129	0%	Avira URL Cloud	safe
http://mdfile24.theworkpc.com/file/1524	0%	Avira URL Cloud	safe
http://mdfile24.theworkpc.com	0%	Avira URL Cloud	safe
http://mdfile24.theworkpc.com/file/1524d	0%	Avira URL Cloud	safe
http://94.154.37.129/file/1524Ohttp://mdfile24.theworkpc.com/file/1524	0%	Avira URL Cloud	safe
http://94.154.37.129/file/1524P	0%	Avira URL Cloud	safe
http://94.154.37.129/file/1524	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mdfile24.theworkpc.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://94.154.37.129/file/1524	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.154.37.129	YLDUi7gQi7.exe, 00000000.00000002.3940875770.000000000285E000.00000004.00000800.00020000.00000000.sdmp, YLDUi7gQi7.exe, 00000000.00000002.3940875770.0000000002872000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
http://94.154.37.129/file/1524Ohttp://mdfile24.theworkpc.com/file/1524	YLDUi7gQi7.exe	false	Avira URL Cloud: safe	unknown
http://94.154.37.129/file/1524P	YLDUi7gQi7.exe, 00000000.00000002.3940875770.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mdfile24.theworkpc.com	YLDUi7gQi7.exe, 00000000.00000002.3940875770.0000000002887000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	YLDUi7gQi7.exe, 00000000.00000002.3940875770.000000000285E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mdfile24.theworkpc.com/file/1524d	YLDUi7gQi7.exe, 00000000.00000002.3940875770.0000000002887000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mdfile24.theworkpc.com/file/1524	YLDUi7gQi7.exe, 00000000.00000002.3940875770.00000000027F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.154.37.129	unknown	Ukraine		12695	DINET-ASRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586670
Start date and time:	2025-01-09 13:40:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YLDUi7gQi7.exe renamed because original name is a hash value
Original Sample Name:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66.exe
Detection:	MAL
Classification:	mal64.winEXE@2/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 12 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.246.45, 4.175.87.197, 20.190.160.14
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: YLDUi7gQi7.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DINET-ASRU	mmbasic.exe	Get hash	malicious	Unknown	Browse	89.208.236.251
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	95.163.84.7
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	95.163.84.7
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	95.163.84.7
	nsharm7.elf	Get hash	malicious	Mirai	Browse	213.248.5.162
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	213.248.44.211
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	85.192.49.117
	bot.spc.elf	Get hash	malicious	Mirai	Browse	85.196.7.237
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	45.151.37.25

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLDUi7gQi7.exe_e2efadd0c07588203588e69e8168810594cd21f_320da828_7af21d7d-7916-4826-a880-92ace663c746\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1139417607423476
Encrypted:	false
SSDEEP:	192:36UQVoiV5NxZ0BU/KaGOJo5e9zuiFciQZ24IO8EH:AoYNcBU/KahwazuiFciQY4IO8EH
MD5:	1A7F9072EF484570BB8C12F8EEFF9259
SHA1:	CF5740C9962E067039106AD6B7855373D343BFF9
SHA-256:	485A4088176A34BF7D150E9CC2FD2B899886C71DB86927C09763D59D18C92C57
SHA-512:	22C1C48A69B2DC1C95967AA28C23E16BC517FC696AF6826BAD3C3F4B6D6FA1338A87BAE969DB6485F82CF2CD88F5DCE911860616063AA12732E0EA9E3FAB7E7A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.9.0.0.1.4.5.8.6.6.2.9.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.9.0.0.1.4.6.3.5.0.6.7.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.f.2.1.d.7.d.-.7.9.1.6.-.4.8.2.6.-.a.8.8.0.-.9.2.a.c.e.6.6.3.c.7.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.f.f.c.f.6.d.-.6.1.e.0.-.4.e.2.a.-.8.c.1.d.-.7.f.8.1.c.4.2.b.5.a.8.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Y.L.D.U.i.7.g.Q.i.7...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.m.a.g.e.V.i.e.w.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.1.0.-.0.0.0.1.-.0.0.1.5.-.0.0.d.7.-.5.9.d.5.9.3.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.c.2.c.4.b.4.a.0.7.f.6.2.6.e.7.5.f.b.7.7.d.1.2.5.f.b.1.b.e.9.8.0.0.0.0.0.0.0.0.!.0.0.0.0.e.c.4.2.9.1.a.a.8.a.4.c.4.2.0.7.4.a.f.5.d.2.4.1.9.4.e.8.5.9.1.3.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDC9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 12:42:26 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	301691
Entropy (8bit):	3.796103941268842
Encrypted:	false
SSDEEP:	3072:5dDecYJnVAjT8ZFJ62ji4uEqRFOV64eLTgwsYpyk:59e1n+fqNi4WTgrYpy
MD5:	C4FA5FAC1BB24BCFC9DB94FE7A50D3EA
SHA1:	B513AB9AA3BB84225E501F7914A74532486B6245
SHA-256:	DF1C9FF0BCD6FB5FA8D82A4196FC163A03D4D6BF9E977BC265988A0C44AD5532
SHA-512:	FE7C5BE2DEECFA4B629856DE36AE76AA48BAA1785BC9FFB93747E6D0BCC50A6AF9094F37EE7336B5D1BDAD3FB90D3ED410240951FF1877C680A38D563E852635
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......2..g............t...........p...........<....$.......(..<W..........`.......8...........T...........x=...]..........4%.......... '..............................................................................eJ.......'......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEE3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8396
Entropy (8bit):	3.6969674842478906
Encrypted:	false
SSDEEP:	192:R6l7wVeJe66D6Y2D2SU9yC7gmfZdVRprG89b2+sfFUXSm:R6lXJ76D6YLSU9yOgmfpz29fo
MD5:	A29720E32E5B1F16189F8493E0A1A597
SHA1:	DFE88D26110E1DF9347C464A4A43A0C27AEC5070
SHA-256:	00B0D6B2B101F088AD03BD928C7957DB14BE8C2A90D6E088FB601A9469CC09C8
SHA-512:	FC812C8F5373D7FA52AD35CED6D908D216DE0E85C5C4812FC2F7E5A7A446C73D33332A4CFE0619E49A488C5857F57780F5731D84334852FDD83D2F6E913BF74F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF13.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4748
Entropy (8bit):	4.477348135046788
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg77aI94rWpW8VYlYm8M4JanFVC+q8vSvJWl0jMNtd:uIjfmI76a7VhJPKW6bNtd
MD5:	068B860C5B42D79EF4243AC02CA3EC36
SHA1:	CD1EEAF6DB944FE0E569078BCC40633AADC65499
SHA-256:	478C4A5CAEAFB29C359AAE70C6A03031B5713656754AE1EA9212B4721CE5427B
SHA-512:	FAA1E16E02A4E6292828C54F774ECA94B3D2808737A2B7A9AD17978880A1B640BC314CDC6BA8506D7DE96D76689E9BA65DE87B261F24FF67DBE5BEB4C1C036E1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668385" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468825699473966
Encrypted:	false
SSDEEP:	6144:HzZfpi6ceLPx9skLmb0fHZWSP3aJG8nAgeiJRMMhA2zX4WABluuN/jDH5S:TZHtHZWOKnMM6bFpBj4
MD5:	0E52EF9829A8C0A4766A7C07B371EBB1
SHA1:	34A7C53F4F5831A9E076FE3EBD757050797EC532
SHA-256:	F61DBB7AE96570838762BB213DBF44D63169ED9A20FEBA45C509B827CE37D43A
SHA-512:	CAF57BE14DA7CA7F340C4BD155D15E26A9477C42E5B1AA1783F2F56EC4B6806CE1B16246E79EFF75930B69D9E68CE767B68A761BBE40AF66606BD6E32745B6DD
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..k.b................................................................................................................................................................................................................................................................................................................................................}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.660844052428411
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	YLDUi7gQi7.exe
File size:	44'032 bytes
MD5:	6742e36ad0679bf1bdaa1fef3afa43b8
SHA1:	ec4291aa8a4c42074af5d24194e859138650a192
SHA256:	e8d13a972f91936870dc5d2e8830dc10a00e499b1bc25cc88ec4570cf7dbfd66
SHA512:	3545a3e003c6683aa503af4128ec91f3ba8e22435ca4ade2d73aa8a7261b4e97df2b352f319d13a211ff841de7081c7e212ccc8c17efc538e2715447835a135b
SSDEEP:	768:aZTnFLYzyaPVzlIFfSCoojXAD5MeEsw8PfgGqpIP:aZDatzlmuCYIGqpC
TLSH:	50136C1222EC4325C23A2BF338A36B211731AD4DD997D75894CAEBED39E378047427E5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J................0..d...F......Z.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	5da4ed8cb48d540d

Static PE Info

General

Entrypoint:	0x40825a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3B04AF9 [Thu Jan 18 17:59:21 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8205	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x43b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8164	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6260	0x6400	f04f7fb00e3f50183ef1be6fbd8eb9c9	False	0.404609375	data	5.4751341010778125	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x43b8	0x4400	a211b975f7747e74ce91b1cb5890cb6a	False	0.9281939338235294	data	7.820911984198312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	136ff3f80437692287283b25d52d3e6c	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa100	0x3d56	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.977009298178576
RT_GROUP_ICON	0xde68	0x14	data	1.05
RT_VERSION	0xde8c	0x32c	data	0.4236453201970443
RT_MANIFEST	0xe1c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:41:42.591397047 CET	49699	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:41:42.600421906 CET	80	49699	94.154.37.129	192.168.2.6
Jan 9, 2025 13:41:42.600507975 CET	49699	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:41:42.601305962 CET	49699	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:41:42.609411955 CET	80	49699	94.154.37.129	192.168.2.6
Jan 9, 2025 13:41:58.994854927 CET	63564	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:41:58.999768019 CET	53	63564	1.1.1.1	192.168.2.6
Jan 9, 2025 13:41:58.999849081 CET	63564	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:41:59.005160093 CET	53	63564	1.1.1.1	192.168.2.6
Jan 9, 2025 13:41:59.523751974 CET	63564	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:41:59.528758049 CET	53	63564	1.1.1.1	192.168.2.6
Jan 9, 2025 13:41:59.528826952 CET	63564	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:42:03.982379913 CET	80	49699	94.154.37.129	192.168.2.6
Jan 9, 2025 13:42:03.982538939 CET	49699	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:42:04.004610062 CET	49699	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:42:04.006855011 CET	63596	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:42:04.009497881 CET	80	49699	94.154.37.129	192.168.2.6
Jan 9, 2025 13:42:04.011739016 CET	80	63596	94.154.37.129	192.168.2.6
Jan 9, 2025 13:42:04.011848927 CET	63596	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:42:04.011951923 CET	63596	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:42:04.016707897 CET	80	63596	94.154.37.129	192.168.2.6
Jan 9, 2025 13:42:25.383426905 CET	80	63596	94.154.37.129	192.168.2.6
Jan 9, 2025 13:42:25.383724928 CET	63596	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:42:25.383821011 CET	63596	80	192.168.2.6	94.154.37.129
Jan 9, 2025 13:42:25.388638973 CET	80	63596	94.154.37.129	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 13:41:58.994543076 CET	53	58215	1.1.1.1	192.168.2.6
Jan 9, 2025 13:42:25.398686886 CET	65192	53	192.168.2.6	1.1.1.1
Jan 9, 2025 13:42:25.522814035 CET	53	65192	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 13:42:25.398686886 CET	192.168.2.6	1.1.1.1	0x5d60	Standard query (0)	mdfile24.theworkpc.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 13:42:25.522814035 CET	1.1.1.1	192.168.2.6	0x5d60	Name error (3)	mdfile24.theworkpc.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

94.154.37.129

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	94.154.37.129	80	6672	C:\Users\user\Desktop\YLDUi7gQi7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 13:41:42.601305962 CET	72	OUT	GET /file/1524 HTTP/1.1 Host: 94.154.37.129 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	63596	94.154.37.129	80	6672	C:\Users\user\Desktop\YLDUi7gQi7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 13:42:04.011951923 CET	72	OUT	GET /file/1524 HTTP/1.1 Host: 94.154.37.129 Connection: Keep-Alive

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: YLDUi7gQi7.exePID: 6672, Parent PID: 4004

General

Target ID:	0
Start time:	07:41:41
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\YLDUi7gQi7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YLDUi7gQi7.exe"
Imagebase:	0x4c0000
File size:	44'032 bytes
MD5 hash:	6742E36AD0679BF1BDAA1FEF3AFA43B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2260, Parent PID: 6672

General

Target ID:	6
Start time:	07:42:25
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1564
Imagebase:	0x3a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: YLDUi7gQi7.exePID: 6672, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	145
Total number of Limit Nodes:	9

Executed Functions

Function 00E43E28 Relevance: 3.3, Strings: 2, Instructions: 805
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*, xrefs: 00E47451
S, xrefs: 00E47864

Memory Dump Source

Source File: 00000000.00000002.3940288628.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID: *$S
API String ID: 0-3373398988
Opcode ID: 47122b001bfeee2fadd0b589ce55715a828e26216eeb55184b51c6a9007a850b
Instruction ID: 3a7b15e94a2c14fe71eebffe91a26e4c2bd54c80475008cd7794eb01de3967ae
Opcode Fuzzy Hash: 47122b001bfeee2fadd0b589ce55715a828e26216eeb55184b51c6a9007a850b
Instruction Fuzzy Hash: 0F927F78E012298FDB65DF69D884BD9BBB2FB88300F1081EAD909A7355DB715E81DF40

Function 04E12907 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E12A22

Strings

I&G>, xrefs: 04E1293E
I&G>, xrefs: 04E1295E

Memory Dump Source

Source File: 00000000.00000002.3941403129.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e10000_YLDUi7gQi7.jbxd

Similarity

API ID: CreateWindow
String ID: I&G>$I&G>
API String ID: 716092398-2218362689
Opcode ID: 6ce4d713780180992b0d17e9195048a4458a19e4afba306b41eedb4908e0ac15
Instruction ID: 5c054ea455555d535de0132b43778743e7611cf6bbca80bd0b0cc9ce1d0582a9
Opcode Fuzzy Hash: 6ce4d713780180992b0d17e9195048a4458a19e4afba306b41eedb4908e0ac15
Instruction Fuzzy Hash: 3E51BFB1D00209EFDF15CF99D884ADEBBB5FF48314F24916AE918AB220D771A945CF90

Function 04E10428 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E12A22

Strings

I&G>, xrefs: 04E1293E
I&G>, xrefs: 04E1295E

Memory Dump Source

Source File: 00000000.00000002.3941403129.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e10000_YLDUi7gQi7.jbxd

Similarity

API ID: CreateWindow
String ID: I&G>$I&G>
API String ID: 716092398-2218362689
Opcode ID: 7f8f7bbfea4c89aa876b9648772d7b570c281b3d1b1415152b5f4d3769c2ae71
Instruction ID: d1cd4d653da0db53403bd97a68ee7b48aa54870ecb0e19acae3a2fbb2aae1e3b
Opcode Fuzzy Hash: 7f8f7bbfea4c89aa876b9648772d7b570c281b3d1b1415152b5f4d3769c2ae71
Instruction Fuzzy Hash: 6651EFB1D00309DFDB14CF9AD884ADEBBB5BF48310F24916AE919AB220D771A941CF90

Function 00E4C0FB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E4C35E

Strings

I&G>, xrefs: 00E4C317

Memory Dump Source

Source File: 00000000.00000002.3940288628.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_YLDUi7gQi7.jbxd

Similarity

API ID: HandleModule
String ID: I&G>
API String ID: 4139908857-2244032144
Opcode ID: 89747f97012ddb793c3e1e265d1c8e9912fcaa5abfc9791f3c8ef4ae083494d4
Instruction ID: d8de88c43996300fc2b43278aceb068448d7d466613975bca3bcd4c6afc80199
Opcode Fuzzy Hash: 89747f97012ddb793c3e1e265d1c8e9912fcaa5abfc9791f3c8ef4ae083494d4
Instruction Fuzzy Hash: F28154B0A01B018FDB64CF6AE44175ABBF1FF88304F109A2DD48AE7A51DB74E845CB95

Function 00E4590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459C9

Strings

I&G>, xrefs: 00E4594C

Memory Dump Source

Source File: 00000000.00000002.3940288628.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_YLDUi7gQi7.jbxd

Similarity

API ID: Create
String ID: I&G>
API String ID: 2289755597-2244032144
Opcode ID: 5102254a06fc37947b27514e95f6e1cd0512f04baa625c0d9b6db3b38ac2ca54
Instruction ID: b64196d20346503a8f9c218da2624f067e0d01bffc452e106c161a5ce4c4303a
Opcode Fuzzy Hash: 5102254a06fc37947b27514e95f6e1cd0512f04baa625c0d9b6db3b38ac2ca54
Instruction Fuzzy Hash: 8B41E0B1C0071DCBDB24CFAAD98479DBBB5BF88304F60816AD418BB251DBB56945CF90

Function 04E1057C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E14F91

Strings

I&G>, xrefs: 04E14EE7

Memory Dump Source

Source File: 00000000.00000002.3941403129.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e10000_YLDUi7gQi7.jbxd

Similarity

API ID: CallProcWindow
String ID: I&G>
API String ID: 2714655100-2244032144
Opcode ID: 051f5eda7afec6df0578e5f628bd4a6b5ce95ad8931d01f779b2d517a38204d6
Instruction ID: 95d65096d8410315a3ff8ea31bba4f7f28a32db39bb898e95e7296c769025dc1
Opcode Fuzzy Hash: 051f5eda7afec6df0578e5f628bd4a6b5ce95ad8931d01f779b2d517a38204d6
Instruction Fuzzy Hash: 50414AB5900309DFDB14CF99C488BAABBF5FF88318F249449E519AB361D774B840CBA0

Function 00E444B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E459C9

Strings

I&G>, xrefs: 00E4594C

Memory Dump Source

Source File: 00000000.00000002.3940288628.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_YLDUi7gQi7.jbxd

Similarity

API ID: Create
String ID: I&G>
API String ID: 2289755597-2244032144
Opcode ID: 8cf0c669f22b77a7a874ab017f5c51d62fdca6bb0acbc625eee60b30fec8613c
Instruction ID: c0fd251904f5a19a8f321820ea461873ca7856caf786aaa5e96d908da24c7536
Opcode Fuzzy Hash: 8cf0c669f22b77a7a874ab017f5c51d62fdca6bb0acbc625eee60b30fec8613c
Instruction Fuzzy Hash: 5041E2B1C0071DCBEB24CFAAC844B9DBBB5BF88304F60816AD508BB251DBB16945CF90

Function 00E4C0E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E4E2C6,?,?,?,?,?), ref: 00E4E78F

Strings

I&G>, xrefs: 00E4E727

Memory Dump Source

Source File: 00000000.00000002.3940288628.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_YLDUi7gQi7.jbxd

Similarity

API ID: DuplicateHandle
String ID: I&G>
API String ID: 3793708945-2244032144
Opcode ID: 0c4211aa24e507960e40d45f097ca751b84bcc052b8957ce70c7afc49f29ca2b
Instruction ID: 4708fe7e45405795f6b2db42fdf74eec81b0b51c49135d2d8377ed5622e1fd84
Opcode Fuzzy Hash: 0c4211aa24e507960e40d45f097ca751b84bcc052b8957ce70c7afc49f29ca2b
Instruction Fuzzy Hash: 1121E3B5900249EFDB10CF9AD984AEEBBF4FB48320F14841AE914B7310D378A950CFA4

Function 00E4C2F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E4C35E

Strings

I&G>, xrefs: 00E4C317

Memory Dump Source

Source File: 00000000.00000002.3940288628.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_YLDUi7gQi7.jbxd

Similarity

API ID: HandleModule
String ID: I&G>
API String ID: 4139908857-2244032144
Opcode ID: e11b051487b345515f2e24d0a9f585bc556aea6c8764a5bf98348d4e64e066b7
Instruction ID: ed2a4277622f5dd07a4bec55301e169a410b2870700cb5c6a75f1c038baa7c14
Opcode Fuzzy Hash: e11b051487b345515f2e24d0a9f585bc556aea6c8764a5bf98348d4e64e066b7
Instruction Fuzzy Hash: 67110FB6C016498FCB10CF9AD444ADEFBF4AF88724F20845AD429B7210D3B9A545CFA5

Function 00E45A84 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3940288628.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c2a4761f6004160ff2bf5eaf76a9ae067c1896fedd84f5a2867af3ea66a76d
Instruction ID: b1033b5aa200601302f0b22ae28be9171052d8b66a20df5e92a383ae8c38201e
Opcode Fuzzy Hash: 16c2a4761f6004160ff2bf5eaf76a9ae067c1896fedd84f5a2867af3ea66a76d
Instruction Fuzzy Hash: 8A31AA72804B49CFDF11CFA8E8457EDBBB1EF85318F60928AC015AB252C775A94ACF41

Function 00CAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3940071080.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce80d6669402d1f74492d430a3e9ffde4751510be511d59a98ac3db3046a38c6
Instruction ID: 2270b801153fe77ba21ed0700fc779e0e4499f7e8c90dfdc5348f11db5c80fc4
Opcode Fuzzy Hash: ce80d6669402d1f74492d430a3e9ffde4751510be511d59a98ac3db3046a38c6
Instruction Fuzzy Hash: 13213475604305EFCB14DF24D9C0B26BB61FB89318F20C56DE90B4B692C77AD807CA61

Function 00CAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3940071080.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680a5b72e3e838f3293456342564a8a65f3751287558be64fe2014920599865a
Instruction ID: 59a0d96cded6b06de17b1c3bbe307c59121f735d317782255933e1abb23ec600
Opcode Fuzzy Hash: 680a5b72e3e838f3293456342564a8a65f3751287558be64fe2014920599865a
Instruction Fuzzy Hash: 522153755093C08FCB12CF24D594715BF71EB46318F28C5DAD84A8F6A7C33A990ACB62

Non-executed Functions

Function 04E11060 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3941403129.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e10000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d287fb54dc73dbd2365a080bce2522b0e29918d8f1057b1df0e06d4b6a109839
Instruction ID: a6f7d7f7f18388e7b7d6f1c5090e4f066871306766900d72965934c30dbcbe64
Opcode Fuzzy Hash: d287fb54dc73dbd2365a080bce2522b0e29918d8f1057b1df0e06d4b6a109839
Instruction Fuzzy Hash: CD1283B0C81745CAE318CF65F94C28D7BA1F745318FD06A89DA622A2E1D7B415EECF48

Function 04E106A0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3941403129.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e10000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f61e6f4aa9a2241e90e0ba9c1ad739cb9756c518568d4125b473cea93b32a1b
Instruction ID: 9c90881bc66a552420e085e36cf9149045ad8b8c0bca34cf9a7f8376a24c6fc7
Opcode Fuzzy Hash: 6f61e6f4aa9a2241e90e0ba9c1ad739cb9756c518568d4125b473cea93b32a1b
Instruction Fuzzy Hash: A1A16B32E002198FCF09DFB4D84059EB7B2FF85304B1595AAE905BB265DB71E955CF80

Function 04E11053 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3941403129.0000000004E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e10000_YLDUi7gQi7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4919b01bab7db24d8a8acd974934eac28ff10cf333f8715ad415748fb91b2080
Instruction ID: 0ac069657033280af0f3aab2e77b1c78dc859cacd247090a8f770ff706b51b00
Opcode Fuzzy Hash: 4919b01bab7db24d8a8acd974934eac28ff10cf333f8715ad415748fb91b2080
Instruction Fuzzy Hash: 14C1E6B0C81745CAE718DF25F84828D7BB1BB85314F916B89D9626B2D0DBB414EECF48

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YLDUi7gQi7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_YLDUi7gQi7.exe_e2efadd0c07588203588e69e8168810594cd21f_320da828_7af21d7d-7916-4826-a880-92ace663c746\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBDC9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEE3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF13.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
YLDUi7gQi7.exe

Function 00E43E28 Relevance: 3.3, Strings: 2, Instructions: 805
COMMON

Function 04E12907 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
COMMON

Function 04E10428 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Function 00E4C0FB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Function 00E4590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Function 04E1057C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Function 00E444B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 00E4C0E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 00E4C2F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Function 00E45A84 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON