Windows Analysis Report
PO_27052024.exe

Overview

General Information

Sample name: PO_27052024.exe
Analysis ID: 1447834
MD5: 4199d8995c4b86f6053c43cb70a87aa9
SHA1: ae7d740bc01ae87d643f98264efa3b995365a66f
SHA256: 74a7dd343c4fac52d9d695d8d189a1bf3d5e5578622099bdf731544df385b75d
Tags: exeFormbook
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 4.2.PO_27052024.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alitextile.com", "Username": "9@alitextile.com", "Password": "Myname321@"}
Multi AV Scanner detection for submitted file
Source: PO_27052024.exe ReversingLabs: Detection: 39%
Source: PO_27052024.exe Virustotal: Detection: 57% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PO_27052024.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO_27052024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: PO_27052024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4x nop then jmp 069F6F2Bh 0_2_069F6509
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4x nop then jmp 069F6F2Bh 0_2_069F6509

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 4.2.PO_27052024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.390e5e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 192.185.143.105 192.185.143.105
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: mail.alitextile.com
Source: PO_27052024.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO_27052024.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO_27052024.exe String found in binary or memory: http://feeds.soundcloud.com/users/soundcloud:users:38128127/sounds.rss
Source: PO_27052024.exe, 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.000000000318A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: PO_27052024.exe, 00000004.00000002.3686376787.00000000034DF000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.0000000003520000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.alitextile.com
Source: PO_27052024.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: PO_27052024.exe, 00000004.00000002.3697573375.0000000009E16000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672764286.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672018222.0000000001246000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.000000000319D000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3696729505.0000000009D48000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.000000000322F000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.0000000003520000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: PO_27052024.exe, 00000004.00000002.3697573375.0000000009E16000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672764286.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672018222.0000000001246000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.000000000319D000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3696729505.0000000009D48000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.000000000322F000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.0000000003520000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: PO_27052024.exe, 00000004.00000002.3686376787.000000000314B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO_27052024.exe, 00000004.00000002.3697573375.0000000009E16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.o?
Source: PO_27052024.exe, 00000004.00000002.3697573375.0000000009E16000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672764286.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672018222.0000000001246000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3692063718.0000000006B1D000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3697154303.0000000009DA1000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.0000000003520000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3692189808.0000000006B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: PO_27052024.exe, 00000004.00000002.3697573375.0000000009E16000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672764286.00000000012C5000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3672018222.0000000001246000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3692063718.0000000006B1D000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3697154303.0000000009DA1000.00000004.00000020.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.0000000003520000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.00000000033F2000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3692189808.0000000006B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: PO_27052024.exe, 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: PO_27052024.exe, 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.000000000314B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: PO_27052024.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49703 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, 3DlgK9re6m.cs .Net Code: TDa
Source: 0.2.PO_27052024.exe.390e5e0.5.raw.unpack, 3DlgK9re6m.cs .Net Code: TDa
Installs a global keyboard hook
Source: C:\Users\user\Desktop\PO_27052024.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO_27052024.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\PO_27052024.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.PO_27052024.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO_27052024.exe.3949a00.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO_27052024.exe.390e5e0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO_27052024.exe.390e5e0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.PO_27052024.exe.82d0000.10.raw.unpack, .cs Large array initialization: : array initializer size 27103
Source: 0.2.PO_27052024.exe.27548cc.4.raw.unpack, .cs Large array initialization: : array initializer size 27103
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO_27052024.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_04B7D5BC 0_2_04B7D5BC
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_068F02D8 0_2_068F02D8
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_068FAA80 0_2_068FAA80
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_068FAA90 0_2_068FAA90
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F3CA0 0_2_069F3CA0
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F40D8 0_2_069F40D8
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F40C9 0_2_069F40C9
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F21C0 0_2_069F21C0
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F25E8 0_2_069F25E8
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F95E0 0_2_069F95E0
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F4510 0_2_069F4510
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F4501 0_2_069F4501
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014A41F0 4_2_014A41F0
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014AB885 4_2_014AB885
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014A4AC0 4_2_014A4AC0
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014A3EA8 4_2_014A3EA8
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F466F8 4_2_06F466F8
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F4D69C 4_2_06F4D69C
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F47E80 4_2_06F47E80
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F452A0 4_2_06F452A0
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F459EF 4_2_06F459EF
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F4B987 4_2_06F4B987
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F43168 4_2_06F43168
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F477A0 4_2_06F477A0
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F4EBE2 4_2_06F4EBE2
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F4EBE8 4_2_06F4EBE8
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F42348 4_2_06F42348
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F4F8D6 4_2_06F4F8D6
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_06F40040 4_2_06F40040
PE / OLE file has an invalid certificate
Source: PO_27052024.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: PO_27052024.exe, 00000000.00000002.1228902157.0000000002785000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO_27052024.exe
Source: PO_27052024.exe, 00000000.00000002.1227858084.000000000091E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO_27052024.exe
Source: PO_27052024.exe, 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7f4f14b4-d46b-42ba-b19b-0932f3eca6e2.exe4 vs PO_27052024.exe
Source: PO_27052024.exe, 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO_27052024.exe
Source: PO_27052024.exe, 00000000.00000002.1228902157.0000000002731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO_27052024.exe
Source: PO_27052024.exe, 00000000.00000002.1228902157.000000000277E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7f4f14b4-d46b-42ba-b19b-0932f3eca6e2.exe4 vs PO_27052024.exe
Source: PO_27052024.exe, 00000000.00000002.1233511401.00000000082D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PO_27052024.exe
Source: PO_27052024.exe, 00000000.00000002.1232714365.0000000006960000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO_27052024.exe
Source: PO_27052024.exe, 00000004.00000002.3666284064.000000000043E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename7f4f14b4-d46b-42ba-b19b-0932f3eca6e2.exe4 vs PO_27052024.exe
Source: PO_27052024.exe, 00000004.00000002.3667608248.00000000010F9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO_27052024.exe
Source: PO_27052024.exe Binary or memory string: OriginalFilenamebYCc.exe" vs PO_27052024.exe
Uses 32bit PE files
Source: PO_27052024.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.PO_27052024.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO_27052024.exe.3949a00.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO_27052024.exe.390e5e0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO_27052024.exe.390e5e0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: PO_27052024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, slKb.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, mAKJ.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, xQRSe0Fg.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, n3rhMa.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, MQzE4FWn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, nSmgRyX5a1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, 6IMLmJtk.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, 3HroK7qN.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, VoLqNbH7NBw8DyPF6f.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, VoLqNbH7NBw8DyPF6f.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, VoLqNbH7NBw8DyPF6f.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, xthsvSKDBwCmlwX3sW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/1@3/3
Source: C:\Users\user\Desktop\PO_27052024.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_27052024.exe.log Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Mutant created: NULL
Source: PO_27052024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO_27052024.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO_27052024.exe ReversingLabs: Detection: 39%
Source: PO_27052024.exe Virustotal: Detection: 57%
Source: C:\Users\user\Desktop\PO_27052024.exe File read: C:\Users\user\Desktop\PO_27052024.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO_27052024.exe "C:\Users\user\Desktop\PO_27052024.exe"
Source: C:\Users\user\Desktop\PO_27052024.exe Process created: C:\Users\user\Desktop\PO_27052024.exe "C:\Users\user\Desktop\PO_27052024.exe"
Source: C:\Users\user\Desktop\PO_27052024.exe Process created: C:\Users\user\Desktop\PO_27052024.exe "C:\Users\user\Desktop\PO_27052024.exe"
Source: C:\Users\user\Desktop\PO_27052024.exe Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Users\user\Desktop\PO_27052024.exe Process created: C:\Users\user\Desktop\PO_27052024.exe "C:\Users\user\Desktop\PO_27052024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process created: C:\Users\user\Desktop\PO_27052024.exe "C:\Users\user\Desktop\PO_27052024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO_27052024.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: PO_27052024.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO_27052024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: PO_27052024.exe, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: PO_27052024.exe, Form1.cs .Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, VoLqNbH7NBw8DyPF6f.cs .Net Code: vHMcYp56Ig System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO_27052024.exe.82d0000.10.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO_27052024.exe.27548cc.4.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_04B7F110 pushad ; iretd 0_2_04B7F111
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_04B7F2F0 push esi; ret 0_2_04B7F2FA
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_04B7F2FB push edi; ret 0_2_04B7F30A
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_04B7F268 push ebx; ret 0_2_04B7F282
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_04B7F268 push esi; ret 0_2_04B7F2FA
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_04B7F30B push esp; ret 0_2_04B7F31A
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_068F0B01 push es; ret 0_2_068F0B10
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_068FF9D0 push eax; ret 0_2_068FFA2F
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F1EA3 pushad ; iretd 0_2_069F1EA4
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_069F1BE9 pushad ; iretd 0_2_069F1BEA
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 0_2_08082199 push eax; ret 0_2_080821A6
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014AABA0 push esp; retf 4_2_014AAEE1
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014A0C45 push ebx; retf 4_2_014A0C52
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014A0C6D push edi; retf 4_2_014A0C7A
Source: PO_27052024.exe Static PE information: section name: .text entropy: 7.968838201538731
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, GciElOgIAP9EdODLDH.cs High entropy of concatenated method names: 'k6ItZ2hPW1', 'h0ttiwlENx', 'dNWtYQ21us', 'tjTtOwUkEf', 'KGmtLBkLYR', 'wxUtQRZqru', 'xKYtmSvG9G', 'U8CtdVLXqL', 'SdwtvcJh91', 'OdRtWIfvx1'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, QTm80DmE6Y15lg0D64q.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Uwae45wtFK', 'gqxeAq7cLO', 'OpleIVCe29', 'yYrexi9Vsn', 'QLqeSSOHX3', 'RbPeaPsKGD', 'z5xe55db13'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, YbCXITmol7Vq2TKq4r0.cs High entropy of concatenated method names: 'Vm7hZ7l0Ia', 'FuvhiI78ee', 'AbEhYCbnZD', 'yUchODHywZ', 'hPChLP9Cr8', 'nWLhQaT3iW', 'bIUhm4EGPK', 'biyhdC2l84', 'Otkhvaex2C', 'hCQhWhKxyL'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, VoLqNbH7NBw8DyPF6f.cs High entropy of concatenated method names: 'SZsrjkiaeo', 'lsHrEdFPEP', 'xg9rJUQese', 'n0Frgjx33c', 'xemrUggZ7h', 'EpArCWusUE', 'ArMrt00MOe', 'vNSrouH6Z6', 'xm3rRniXix', 'lR5rfh4Gc0'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, SGt4TNBQkPSXpMeN98.cs High entropy of concatenated method names: 'GtMgOrWQsG', 'ft4gQ5YvlX', 'E5FgdCRHot', 'fw0gvOA4J8', 'X7SgqAJCn0', 'npVguc06cl', 'QbxgPkXsGw', 'ltQgyxcQyh', 'yqnghfYLj0', 'itege8NsXF'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, mybZBvs7EgbSXen7rX.cs High entropy of concatenated method names: 'vwvPDoNMor', 'ijlP60UDPF', 'OPFyGmjZ3N', 'yFMyBPthbT', 'PspPnmJpq9', 'RgfPNLIV9s', 'lucPln07d0', 'k8pP4LaQmF', 'ahlPAtp03C', 'e0LPIJbZie'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, xthsvSKDBwCmlwX3sW.cs High entropy of concatenated method names: 'eRJJ4uNjfJ', 'bCrJAe4I8Z', 'Cq9JIHWOyl', 'Hr7Jx5ExCa', 'aAnJSoVs3I', 'gtCJaLUi8R', 'xg1J5Ujrf5', 'BD4JDVVnyu', 'wVOJ9qsJQO', 'wKiJ6f6hPp'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, aPwWSDpaUA1QGKjjwR.cs High entropy of concatenated method names: 'Dispose', 'QJ4B9sOS55', 'iH8VpRh2jp', 'Cd9KK3T0ap', 'i2hB6I1ZBa', 'VDUBz2rvJs', 'ProcessDialogKey', 'TXkVGGAZPc', 'WjDVBvHMLH', 'HQ2VVFv15u'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, njuXoX67fBSvw2wMrK.cs High entropy of concatenated method names: 'FI5ULicVuw', 'ccoUmmHIXV', 'uVvgHPbI4P', 'bWIgkT9I7L', 'pAwgFgMOI4', 'AZMgs1V9tO', 'UVQg2NgWha', 'FCKg8wKrrN', 'wEVg3pFo06', 'ih8gbhirgc'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, aq4nKti5eNfmk0DeOS.cs High entropy of concatenated method names: 'VTACjN1pdr', 'yEUCJ2UwQh', 'cQeCU1qhPm', 'w3GCtUVVBo', 'zPlComV8Lu', 'TcSUS1w3v4', 'y2BUaiWtCZ', 'gpJU56Wkhb', 'W9HUDTkNQJ', 'gsgU9o0KB5'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, zwiYDcWuwxgFBsJPy3.cs High entropy of concatenated method names: 'knXBtcqiQt', 'IefBoaitMY', 'jOTBfZEivv', 'zgdBTCUKeg', 'IRqBquEFoi', 'goaBuR7rvr', 'Jm9TSOkT7fFgNIOq2v', 'deJiPUnCRBgym8Hwvw', 'cPvBBok55T', 'clRBrg9qBR'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, MkEOtB9gGpjMMw3c36.cs High entropy of concatenated method names: 'eEqYtYQAE', 'SFUO0Wy3j', 'dcZQLSZ8p', 'EfXmEuWjF', 'zl1vb3XcW', 'JBJWjdtbd', 'JQ0PyEBMtCfaNNy27a', 'C8iCJ35L5W0LsGOUjq', 'THgyUrBaa', 'J6AeB7XCV'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, JV3k57zF8oQHbXICMF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BffhwibwkH', 'oBuhqFqHym', 'ynPhu6k5Ny', 'Iy2hP0raGn', 'txrhyGJgAQ', 'x4rhh39FQd', 'CA3hecdpqE'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, QoN9My8WQTEuxu9ZKJ.cs High entropy of concatenated method names: 'ToString', 'rHsunI0yyV', 'viYuptJw1R', 'gEduHGusNp', 'P1fukHdni5', 'hHTuFesXZ9', 'cpHusbk7ft', 'jS0u2ThKPU', 'nUbu8k2PE9', 'REpu3jT7Bl'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, cAjlohqWXtUJ8iL54q.cs High entropy of concatenated method names: 'bI1yE9p7Nn', 'QkKyJl2Oqd', 'hdhygofteJ', 'VMFyU8CDSM', 'XUWyCiJy19', 'pMaytPNqfB', 'N4Lyof4P2s', 'nXByRPwYKl', 'ICVyfKsoY4', 'bLoyTrAshO'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, ftFTQpjBy6MOLTpmFQ.cs High entropy of concatenated method names: 'PcrqbajboY', 'smvqNUbdFw', 'pn3q4gX1xE', 'YiiqAY1WKm', 'Ex3qp4AExh', 'O15qHkPPVe', 'toAqkYsfyf', 'qBhqFnLIua', 'JJjqsYn5oG', 'm7Zq22b3cD'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, JYpWdCP46XBbxe9e7M.cs High entropy of concatenated method names: 'GMZtE0bTRP', 'aDstgHUNCD', 'TBbtCZJgP9', 'ryxC649xSZ', 'aM9Cz0tG6A', 'eBGtG6rNiO', 'DxwtBOY2XM', 'Q1WtVUNPAT', 'POotrObywd', 'hZntcZaQAS'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, YNWEeTu2SO8XyCB4hS.cs High entropy of concatenated method names: 'vdnhBZAfbG', 'SSdhrEqSDV', 'G18hc5A0og', 'CuLhEXdvRV', 'QqqhJaREfY', 'COohUgyfnG', 'bEihCOM5jY', 'lNqy50cKhI', 'DNByDyLsC2', 'kVBy9YmboO'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, gYrtxtYp5pmyJyb4Su.cs High entropy of concatenated method names: 'y3iwd4Rs2s', 'm8XwvVCunl', 'af6w78EFxM', 'aPEwpjYgcZ', 'rGqwkJtq8g', 'sHNwFo3X6y', 'EdIw2v6woE', 'PYvw8aRmFA', 'pErwbmlt2h', 'lFIwnniWNv'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, zMuaUfCE70WhkmayNJ.cs High entropy of concatenated method names: 'z4jy7f6VVo', 'cbkypFFu5P', 'ICbyHDEZ9L', 'wCYykJH6HJ', 'oJ5y4B9oOX', 'yEsyFmjD5P', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, BDlcfTMEkDcKRbkfWp.cs High entropy of concatenated method names: 'VLEu4AJRhns3UV6YYZT', 'mxHoiaJbenJpGvomv4f', 'qqTCyGwZ0p', 'JBECh4jKIr', 'tHxCeXWmOL', 'buwq65JUg5ucgnXlve0', 'tyuP19JcBrBfhmgjPU1'
Source: 0.2.PO_27052024.exe.6960000.9.raw.unpack, zVxJRM2YpVt3GNQR4g.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'i9oV99AdB4', 'cDkV65WOEU', 'TwLVzhrRbG', 'lXCrGA50sO', 'Ax7rBm53uB', 'VSlrV4hvvv', 'sNorrNYZiG', 'hHm6Na2oCLQMy2POtri'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO_27052024.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO_27052024.exe PID: 2724, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PO_27052024.exe, 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3686376787.000000000319D000.00000004.00000800.00020000.00000000.sdmp, PO_27052024.exe, 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 2730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 2540000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 8300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 9300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 94F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: A4F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 1460000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 3140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: 16D0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598806 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598644 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595423 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 593860 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO_27052024.exe Window / User API: threadDelayed 3338 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Window / User API: threadDelayed 6464 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 2516 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -598953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -598806s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -598644s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -598421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -598313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99327s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -99078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98749s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98521s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98275s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98165s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -97701s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -97593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -97482s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -595656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -595547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -595423s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -593985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe TID: 5452 Thread sleep time: -593860s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598953 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598806 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598644 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598421 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 598313 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99327 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99204 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 99078 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98968 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98859 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98749 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98640 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98521 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98406 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98275 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98165 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 98049 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 97701 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 97593 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 97482 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595423 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Thread delayed: delay time: 593860 Jump to behavior
Source: PO_27052024.exe, 00000004.00000002.3686376787.000000000319D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: PO_27052024.exe, 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: PO_27052024.exe, 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: PO_27052024.exe, 00000004.00000002.3672764286.00000000012C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\PO_27052024.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\PO_27052024.exe Code function: 4_2_014A7ED0 CheckRemoteDebuggerPresent, 4_2_014A7ED0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO_27052024.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\PO_27052024.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO_27052024.exe Memory written: C:\Users\user\Desktop\PO_27052024.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO_27052024.exe Process created: C:\Users\user\Desktop\PO_27052024.exe "C:\Users\user\Desktop\PO_27052024.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Process created: C:\Users\user\Desktop\PO_27052024.exe "C:\Users\user\Desktop\PO_27052024.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Users\user\Desktop\PO_27052024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Users\user\Desktop\PO_27052024.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 4.2.PO_27052024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.3949a00.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.390e5e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.390e5e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_27052024.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO_27052024.exe PID: 5956, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\PO_27052024.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\PO_27052024.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\PO_27052024.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 4.2.PO_27052024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.3949a00.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.390e5e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.390e5e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3686376787.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_27052024.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO_27052024.exe PID: 5956, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 4.2.PO_27052024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.3949a00.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.390e5e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.390e5e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_27052024.exe.3949a00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.3666284064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1230653583.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_27052024.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO_27052024.exe PID: 5956, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447834 Sample: PO_27052024.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 18 mail.alitextile.com 2->18 20 ip-api.com 2->20 22 api.ipify.org 2->22 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 10 other signatures 2->36 7 PO_27052024.exe 3 2->7         started        signatures3 process4 signatures5 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->42 44 2 other signatures 7->44 10 PO_27052024.exe 15 2 7->10         started        14 PO_27052024.exe 7->14         started        16 SgrmBroker.exe 1 7->16         started        process6 dnsIp7 24 mail.alitextile.com 192.185.143.105, 49707, 49716, 49717 UNIFIEDLAYER-AS-1US United States 10->24 26 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 10->26 28 api.ipify.org 104.26.13.205, 443, 49703 CLOUDFLARENETUS United States 10->28 46 Tries to steal Mail credentials (via file / registry access) 10->46 48 Tries to harvest and steal browser information (history, passwords, etc) 10->48 50 Installs a global keyboard hook 10->50 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
192.185.143.105
 mail.alitextile.com United States
46606 UNIFIEDLAYER-AS-1US true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
ip-api.com 208.95.112.1 true
mail.alitextile.com 192.185.143.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown