Edit tour

Windows Analysis Report
IWsK3V2Ul9.exe

Overview

General Information

Sample name:	IWsK3V2Ul9.exe renamed because original name is a hash value
Original sample name:	040cef4a919bf259e750029187dcfeff8b4b8f18e6a65cb401ee941d7999dd51.exe
Analysis ID:	1516618
MD5:	d89a424f932b8a69a4657e7ec09944da
SHA1:	7e1b1c99d1bc8fdbc8173ca9eda77dd2f4fd287c
SHA256:	040cef4a919bf259e750029187dcfeff8b4b8f18e6a65cb401ee941d7999dd51
Tags:	51-254-27-112exeuser-JAMESWT_MHT
Infos:

Detection

ArrowRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected ArrowRAT

Yara detected Powershell download and execute

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sigma detected: Explorer NOUACCHECK Flag

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

IWsK3V2Ul9.exe (PID: 6948 cmdline: "C:\Users\user\Desktop\IWsK3V2Ul9.exe" MD5: D89A424F932B8A69A4657E7EC09944DA)

explorer.exe (PID: 1280 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)

cvtres.exe (PID: 1852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 147.185.221.17 55141 YnZwwlrYv MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

conhost.exe (PID: 1592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 3860 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
ArrowRAT	It is available as a service, purchasable by anyone to use in their own campaigns. Its features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.	No Attribution	https://www.arrowrat.com	https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat

Malware Configuration

Threatname: ArrowRAT

{"C2 url": "147.185.221.17", "Port": "55141", "Identifier": "Client", "Mutex": "YnZwwlrYv"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_ArrowRAT	Yara detected ArrowRAT	Joe Security
00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ArrowRAT	Yara detected ArrowRAT	Joe Security
Process Memory Space: IWsK3V2Ul9.exe PID: 6948	JoeSecurity_ArrowRAT	Yara detected ArrowRAT	Joe Security
Process Memory Space: IWsK3V2Ul9.exe PID: 6948	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: cvtres.exe PID: 1852	JoeSecurity_ArrowRAT	Yara detected ArrowRAT	Joe Security
Process Memory Space: cvtres.exe PID: 1852	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.IWsK3V2Ul9.exe.20e800905f0.0.unpack	JoeSecurity_ArrowRAT	Yara detected ArrowRAT	Joe Security
4.2.cvtres.exe.400000.0.unpack	JoeSecurity_ArrowRAT	Yara detected ArrowRAT	Joe Security
0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack	JoeSecurity_ArrowRAT	Yara detected ArrowRAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Explorer NOUACCHECK Flag

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1060, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 3860, ProcessName: explorer.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IWsK3V2Ul9.exe

Avira: detected

Found malware configuration

Source: 0.0.IWsK3V2Ul9.exe.20efc780000.0.unpack

Malware Configuration Extractor: ArrowRAT {"C2 url": "147.185.221.17", "Port": "55141", "Identifier": "Client", "Mutex": "YnZwwlrYv"}

Multi AV Scanner detection for submitted file

Source: IWsK3V2Ul9.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: IWsK3V2Ul9.exe

Joe Sandbox ML: detected

Source: IWsK3V2Ul9.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: IWsK3V2Ul9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\User\Desktop\Pandora DevExpress New\1.8.6 Ready to use\DLL\obj\Release\DLL.pdb source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: .pdb source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbd( source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\User\Desktop\Pandora DevExpress New\1.8.6 Ready to use\DLL\obj\Release\DLL.pdbd( source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.185.221.17

Source: global traffic

TCP traffic: 192.168.2.11:49702 -> 147.185.221.17:55141

Source: Joe Sandbox View

IP Address: 147.185.221.17 147.185.221.17

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17
Source: unknown	TCP traffic detected without corresponding DNS query: 147.185.221.17

Source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.254.27.112:1337/skra.jpg
Source: cvtres.exe, 00000004.00000002.3875809384.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: IWsK3V2Ul9.exe, Program.cs

.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Code function: 0_2_00007FFE7E1B2E69 CreateDesktopW,

0_2_00007FFE7E1B2E69

System Summary

.NET source code contains very large strings

Source: IWsK3V2Ul9.exe, HVNC.cs

Long String: Length: 65580

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_013BA860	4_2_013BA860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_013BF210	4_2_013BF210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_013BFAE0	4_2_013BFAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_013BA84F	4_2_013BA84F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_013BEEC8	4_2_013BEEC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_030D3E58	4_2_030D3E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_030D0EA8	4_2_030D0EA8

Source: IWsK3V2Ul9.exe, 00000000.00000000.1414974566.0000020EFC7AA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs IWsK3V2Ul9.exe
Source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDLL.exe" vs IWsK3V2Ul9.exe
Source: IWsK3V2Ul9.exe	Binary or memory string: OriginalFilenameStub.exe" vs IWsK3V2Ul9.exe

Source: IWsK3V2Ul9.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: IWsK3V2Ul9.exe, Pikolo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: IWsK3V2Ul9.exe, Pikolo.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack, PandoraRecovery.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack, PandoraRecovery.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: IWsK3V2Ul9.exe, Installer.cs

Base64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c'

Source: IWsK3V2Ul9.exe, Program.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: IWsK3V2Ul9.exe, Program.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack, HVNC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack, HVNC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@0/1

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IWsK3V2Ul9.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: \Sessions\1\BaseNamedObjects\YnZwwlrYv
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1592:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

File created: C:\Users\user\AppData\Local\Temp\TMP_pass

Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: IWsK3V2Ul9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IWsK3V2Ul9.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cvtres.exe, 00000004.00000003.1433120965.000000000161D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3875809384.000000000334B000.00000004.00000800.00020000.00000000.sdmp, TMP_pass.4.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: IWsK3V2Ul9.exe

ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\IWsK3V2Ul9.exe "C:\Users\user\Desktop\IWsK3V2Ul9.exe"
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 147.185.221.17 55141 YnZwwlrYv
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 147.185.221.17 55141 YnZwwlrYv	Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: IWsK3V2Ul9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: IWsK3V2Ul9.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\User\Desktop\Pandora DevExpress New\1.8.6 Ready to use\DLL\obj\Release\DLL.pdb source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: .pdb source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: .pdbd( source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\User\Desktop\Pandora DevExpress New\1.8.6 Ready to use\DLL\obj\Release\DLL.pdbd( source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: IWsK3V2Ul9.exe, RunPE.cs	.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack, PandoraRecovery.cs	.Net Code: OnResolveAssembly System.Reflection.Assembly.Load(byte[])

Source: IWsK3V2Ul9.exe

Static PE information: 0xF7264755 [Wed May 25 16:16:21 2101 UTC]

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Code function: 0_2_00007FFE7E1B00BD pushad ; iretd		0_2_00007FFE7E1B00C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Code function: 4_2_013B2A09 push 550135CBh; retf		4_2_013B2A0D

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Memory allocated: 20EFCAE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Memory allocated: 20EFE3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 13B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Window / User API: threadDelayed 1837			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Window / User API: threadDelayed 8132			Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe TID: 3412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4476	Thread sleep count: 1837 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4476	Thread sleep time: -18370000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4476	Thread sleep count: 8132 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 4476	Thread sleep time: -81320000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: cvtres.exe, 00000004.00000002.3875121788.00000000015A7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: IWsK3V2Ul9.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1852, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: IWsK3V2Ul9.exe, RunPE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: IWsK3V2Ul9.exe, RunPE.cs	Reference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
Source: IWsK3V2Ul9.exe, RunPE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: IWsK3V2Ul9.exe, RunPE.cs	Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
Source: IWsK3V2Ul9.exe, RunPE.cs	Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
Source: IWsK3V2Ul9.exe, Program.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 414000	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 11BF008	Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 147.185.221.17 55141 YnZwwlrYv

Jump to behavior

Source: IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe	Queries volume information: C:\Users\user\Desktop\IWsK3V2Ul9.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IWsK3V2Ul9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: cvtres.exe, 00000004.00000002.3875121788.0000000001642000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3875121788.00000000015A7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected ArrowRAT

Source: Yara match	File source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IWsK3V2Ul9.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1852, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Remote Access Functionality

Yara detected ArrowRAT

Source: Yara match	File source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.IWsK3V2Ul9.exe.20e800905f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IWsK3V2Ul9.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cvtres.exe PID: 1852, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Create Account	312 Process Injection	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
IWsK3V2Ul9.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Xhvnc
IWsK3V2Ul9.exe	100%	Avira	TR/Dropper.Gen
IWsK3V2Ul9.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://51.254.27.112:1337/skra.jpg	0%	Avira URL Cloud	safe
147.185.221.17	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
147.185.221.17	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1	IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.254.27.112:1337/skra.jpg	IWsK3V2Ul9.exe, 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	cvtres.exe, 00000004.00000002.3875809384.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.17	unknown	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1516618
Start date and time:	2024-09-24 13:28:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IWsK3V2Ul9.exe renamed because original name is a hash value
Original Sample Name:	040cef4a919bf259e750029187dcfeff8b4b8f18e6a65cb401ee941d7999dd51.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 97% Number of executed functions: 30 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target cvtres.exe, PID 1852 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: IWsK3V2Ul9.exe

Simulations

Behavior and APIs

Time	Type	Description
07:29:29	API Interceptor	8098346x Sleep call for process: cvtres.exe modified
13:29:27	Task Scheduler	Run new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.17	SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Get hash	malicious	SheetRat	Browse
	80c619d931fa4e5c89fe87aac0b6b143.exe	Get hash	malicious	XWorm	Browse
	6ab092aeab924edb854b3ff21ea579df.exe	Get hash	malicious	XWorm	Browse
	Hoodbyunlock.exe	Get hash	malicious	XWorm	Browse
	x.exe	Get hash	malicious	XWorm	Browse
	cougif6lqM.exe	Get hash	malicious	DCRat, XWorm	Browse
	FUDE.bin.exe	Get hash	malicious	XWorm	Browse
	system47.exe	Get hash	malicious	XWorm	Browse
	setup.exe	Get hash	malicious	XWorm	Browse
	APPoKkkk8h.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	SecuriteInfo.com.FileRepMalware.32767.25187.exe	Get hash	malicious	Unknown	Browse	147.185.221.20
	SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exe	Get hash	malicious	SheetRat	Browse	147.185.221.17
	jQ2ryeS5ZP.exe	Get hash	malicious	PureCrypter, Revenge, CyberGate, DCRat, GuLoader, Njrat, PureLog Stealer	Browse	147.185.221.22
	AutoWizard.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	dsadsadsadsadsadsaw.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	killerdude.exe	Get hash	malicious	Quasar	Browse	147.185.221.22
	SecuriteInfo.com.Trojan.TR.Dropper.Gen.22332.4876.exe	Get hash	malicious	Unknown	Browse	147.185.221.19
	XyjvIO6D4m.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	vtCneOrnat.exe	Get hash	malicious	XWorm	Browse	147.185.221.22
	jbG3cpmy.exe	Get hash	malicious	XWorm	Browse	147.185.221.22

Process:	C:\Users\user\Desktop\IWsK3V2Ul9.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1088
Entropy (8bit):	5.389928136181357
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/E
MD5:	6B2359BF987F4BDAF6CB014F63217859
SHA1:	3894B16E010FEFF2E71BEE0274746FC34C57C1DF
SHA-256:	ED763CED7BDAE1851B6A82D1D3685E9CC94937ADADD492DD2C1AC0AB639227FD
SHA-512:	C440BE0810F8CF29ADB6E816DA07A673C1E60E926926B2E863AFE7529C2D5EDB6118335C535CD0B4F0F7D7D6E5FE9801328A37FA4012F7D4B737F6F099A1489D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

C:\Users\user\AppData\Local\Temp\TMP_pass

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\temp0923

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	10
Entropy (8bit):	2.2464393446710154
Encrypted:	false
SSDEEP:	3:tBOR:LOR
MD5:	C3A2582C222BAA3AF8351960ED4E6ABC
SHA1:	29798F8DD7C232B64B7BEB06C5795D1061E40495
SHA-256:	F3595F5E6C2F6781B1FDDCABACCD6B70DD03D119CB1FE4B990E1755FA18F0E95
SHA-512:	CB52B976D7BB3F91DCA812C604DDC27D954776BCB6D8046667212C4990C3F27B9E76D68B7D6E97B98D134B338A57CCED5939DBC2636DB45A37253035519DE042
Malicious:	false
Reputation:	low
Preview:	09/24/2024

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.55738394580979
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	IWsK3V2Ul9.exe
File size:	162'304 bytes
MD5:	d89a424f932b8a69a4657e7ec09944da
SHA1:	7e1b1c99d1bc8fdbc8173ca9eda77dd2f4fd287c
SHA256:	040cef4a919bf259e750029187dcfeff8b4b8f18e6a65cb401ee941d7999dd51
SHA512:	459d3531c2f72637c99cd484f555a558f3aafc8e1d967e2333470863310d34fdfae8f0da3a7f20672e9040aaf2b2be3b3d6195dc6aaf0b9a53d28a40aa4282fe
SSDEEP:	3072:qbz+H+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPoKO8Y:qbz+e0ODhTEPgnjuIJzo+PPcfPo18
TLSH:	24F36D243AFA5029F173AF7A5FE47596CA2FB7733B07985D2050038A4B23A81DDD153A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...UG&..........."...0..b............... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x428202
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF7264755 [Wed May 25 16:16:21 2101 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x281b8	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x10c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x26208	0x26400	7c81d9fdd7282ba962f30abe6cebfde7	False	0.4924236621732026	data	4.514946668454454	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x10c4	0x1200	66865dd7ca73ed6bfb0f00d499cbed86	False	0.369140625	data	4.916643761159989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2c000	0xc	0x200	e0df67a915305135d335430a38de970d	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2a0a0	0x2dc	data			0.4562841530054645
RT_MANIFEST	0x2a37c	0xd48	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.38588235294117645

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 24, 2024 13:29:30.128213882 CEST	49702	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:30.133305073 CEST	55141	49702	147.185.221.17	192.168.2.11
Sep 24, 2024 13:29:30.133388042 CEST	49702	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:30.142462969 CEST	49702	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:30.147521019 CEST	55141	49702	147.185.221.17	192.168.2.11
Sep 24, 2024 13:29:30.147741079 CEST	49702	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:30.154010057 CEST	55141	49702	147.185.221.17	192.168.2.11
Sep 24, 2024 13:29:51.497970104 CEST	55141	49702	147.185.221.17	192.168.2.11
Sep 24, 2024 13:29:51.498109102 CEST	49702	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:51.505687952 CEST	49702	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:51.511357069 CEST	55141	49702	147.185.221.17	192.168.2.11
Sep 24, 2024 13:29:52.516964912 CEST	49707	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:52.521918058 CEST	55141	49707	147.185.221.17	192.168.2.11
Sep 24, 2024 13:29:52.522057056 CEST	49707	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:52.522795916 CEST	49707	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:52.527676105 CEST	55141	49707	147.185.221.17	192.168.2.11
Sep 24, 2024 13:29:52.527756929 CEST	49707	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:29:52.532620907 CEST	55141	49707	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:13.874135017 CEST	55141	49707	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:13.874275923 CEST	49707	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:13.875339985 CEST	49707	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:13.880155087 CEST	55141	49707	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:14.905772924 CEST	49708	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:14.928627968 CEST	55141	49708	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:14.928793907 CEST	49708	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:14.943097115 CEST	49708	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:15.124325037 CEST	55141	49708	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:15.124430895 CEST	49708	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:15.129271030 CEST	55141	49708	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:36.483082056 CEST	55141	49708	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:36.483421087 CEST	49708	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:36.484632015 CEST	49708	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:36.489397049 CEST	55141	49708	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:37.485795975 CEST	49710	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:37.491429090 CEST	55141	49710	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:37.491606951 CEST	49710	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:37.492485046 CEST	49710	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:37.498498917 CEST	55141	49710	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:37.498610973 CEST	49710	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:37.503943920 CEST	55141	49710	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:58.858619928 CEST	55141	49710	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:58.859549999 CEST	49710	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:58.880492926 CEST	49710	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:58.887442112 CEST	55141	49710	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:59.892107010 CEST	49711	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:59.896934032 CEST	55141	49711	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:59.897012949 CEST	49711	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:59.898041964 CEST	49711	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:59.902839899 CEST	55141	49711	147.185.221.17	192.168.2.11
Sep 24, 2024 13:30:59.902916908 CEST	49711	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:30:59.907711983 CEST	55141	49711	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:21.271055937 CEST	55141	49711	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:21.271189928 CEST	49711	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:21.272816896 CEST	49711	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:21.277615070 CEST	55141	49711	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:22.282857895 CEST	49712	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:22.287862062 CEST	55141	49712	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:22.287942886 CEST	49712	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:22.288494110 CEST	49712	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:22.293260098 CEST	55141	49712	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:22.293303967 CEST	49712	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:22.298305035 CEST	55141	49712	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:43.688402891 CEST	55141	49712	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:43.688514948 CEST	49712	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:43.689800024 CEST	49712	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:43.696482897 CEST	55141	49712	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:44.704941034 CEST	49713	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:44.709954023 CEST	55141	49713	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:44.713093042 CEST	49713	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:44.716912985 CEST	49713	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:44.721693993 CEST	55141	49713	147.185.221.17	192.168.2.11
Sep 24, 2024 13:31:44.725049973 CEST	49713	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:31:44.730509996 CEST	55141	49713	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:06.096158981 CEST	55141	49713	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:06.096378088 CEST	49713	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:06.104988098 CEST	49713	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:06.110006094 CEST	55141	49713	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:07.110982895 CEST	49714	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:07.115907907 CEST	55141	49714	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:07.115988016 CEST	49714	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:07.122385979 CEST	49714	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:07.127335072 CEST	55141	49714	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:07.127417088 CEST	49714	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:07.132253885 CEST	55141	49714	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:28.471304893 CEST	55141	49714	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:28.471415043 CEST	49714	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:28.472709894 CEST	49714	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:28.477547884 CEST	55141	49714	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:29.485934973 CEST	49715	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:29.490871906 CEST	55141	49715	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:29.490952969 CEST	49715	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:29.491729975 CEST	49715	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:29.496551037 CEST	55141	49715	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:29.496598005 CEST	49715	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:29.501460075 CEST	55141	49715	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:50.849921942 CEST	55141	49715	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:50.850027084 CEST	49715	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:50.850828886 CEST	49715	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:50.856865883 CEST	55141	49715	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:51.860833883 CEST	49716	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:51.865861893 CEST	55141	49716	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:51.865964890 CEST	49716	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:51.866782904 CEST	49716	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:51.871624947 CEST	55141	49716	147.185.221.17	192.168.2.11
Sep 24, 2024 13:32:51.871715069 CEST	49716	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:32:51.876502991 CEST	55141	49716	147.185.221.17	192.168.2.11
Sep 24, 2024 13:33:13.240570068 CEST	55141	49716	147.185.221.17	192.168.2.11
Sep 24, 2024 13:33:13.240628958 CEST	49716	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:33:13.241703987 CEST	49716	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:33:13.246921062 CEST	55141	49716	147.185.221.17	192.168.2.11
Sep 24, 2024 13:33:14.253143072 CEST	49717	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:33:14.258277893 CEST	55141	49717	147.185.221.17	192.168.2.11
Sep 24, 2024 13:33:14.258459091 CEST	49717	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:33:14.259196997 CEST	49717	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:33:14.264158010 CEST	55141	49717	147.185.221.17	192.168.2.11
Sep 24, 2024 13:33:14.264669895 CEST	49717	55141	192.168.2.11	147.185.221.17
Sep 24, 2024 13:33:14.269675970 CEST	55141	49717	147.185.221.17	192.168.2.11
Sep 24, 2024 13:33:35.613765955 CEST	55141	49717	147.185.221.17	192.168.2.11
Sep 24, 2024 13:33:35.613852978 CEST	49717	55141	192.168.2.11	147.185.221.17

Target ID:	0
Start time:	07:29:26
Start date:	24/09/2024
Path:	C:\Users\user\Desktop\IWsK3V2Ul9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\IWsK3V2Ul9.exe"
Imagebase:	0x20efc780000
File size:	162'304 bytes
MD5 hash:	D89A424F932B8A69A4657E7EC09944DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ArrowRAT, Description: Yara detected ArrowRAT, Source: 00000000.00000002.1422800381.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:29:27
Start date:	24/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe"
Imagebase:	0x7ff611de0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:29:27
Start date:	24/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /NoUACCheck
Imagebase:	0x7ff611de0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:29:27
Start date:	24/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 147.185.221.17 55141 YnZwwlrYv
Imagebase:	0xff0000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ArrowRAT, Description: Yara detected ArrowRAT, Source: 00000004.00000002.3874161154.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:29:27
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	13.9%
Total number of Nodes:	36
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFE7E1B2E69 Relevance: 1.8, APIs: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a27ac53c51f205cbd9469ba6afb61f909a2070747941223f1d6ee01ae8152e
Instruction ID: ec2739ac41bfe53391180f9f33cd426483f41b377554481c644be45a26e7595d
Opcode Fuzzy Hash: 71a27ac53c51f205cbd9469ba6afb61f909a2070747941223f1d6ee01ae8152e
Instruction Fuzzy Hash: FF911A3291CB8C4FD754DB6884466FA7BE0EF5A311F0406BFE09DD36A2DA38A849C741

Function 00007FFE7E1B213A Relevance: 2.0, APIs: 1, Instructions: 517
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFE7E1B2503

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93b941218de3b9e78fa8201736eeaac0e58f13a6ca76902074a740418d8e3e40
Instruction ID: ce14c13fe86d7d22036093ab343bc6ff0e72057918e4fa83d7f506c26e20b70d
Opcode Fuzzy Hash: 93b941218de3b9e78fa8201736eeaac0e58f13a6ca76902074a740418d8e3e40
Instruction Fuzzy Hash: 3E31F83191CB8C4FDB19AB6898566FD7BF0EF56310F0402AFD089C3652DA646816C782

Function 00007FFE7E1B2544 Relevance: 1.6, APIs: 1, Instructions: 148
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFE7E1B2635

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 569467014355d8aca6f01fb49557815f3067ec1e8d04eaac7816ba17de4eb1b6
Instruction ID: 55e00d2bf25aa451f624862f05a39c515203879315a01b3b9fcbe50cd33c2d6c
Opcode Fuzzy Hash: 569467014355d8aca6f01fb49557815f3067ec1e8d04eaac7816ba17de4eb1b6
Instruction Fuzzy Hash: 1741F771D1CB484FDB289F98A8066FD7BE0FB95310F04426FE499D3292DE74A845C782

Function 00007FFE7E1B2FA5 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDesktopW.USER32 ref: 00007FFE7E1B309A

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: CreateDesktop
String ID:
API String ID: 3054513912-0
Opcode ID: 734d2036624657542e32781348c46b7c18c567fecb27c06b642e8ca5e3320fe8
Instruction ID: ad8c07e5738b075ceb9a716af66ba9ed0858ac867abc35765841f75e20bf33b0
Opcode Fuzzy Hash: 734d2036624657542e32781348c46b7c18c567fecb27c06b642e8ca5e3320fe8
Instruction Fuzzy Hash: 6141AE7190CB5C8FDB59DF68C8496A9BBF0FB69310F00426FE08DD3252DA74A845CB81

Function 00007FFE7E1B2681 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE ref: 00007FFE7E1B276A

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 14209355552353dd84ce487831e64d382cd3538bf4b838e4bb817a06437c959b
Instruction ID: 9f1bee15a3837095f17a2d583ee119cc3b4b29273d2a31cc93cea45262bca3a8
Opcode Fuzzy Hash: 14209355552353dd84ce487831e64d382cd3538bf4b838e4bb817a06437c959b
Instruction Fuzzy Hash: 0741073191CB488FDB18DF9898466FD7BE0EF99311F0442AFE489C3292DE746845CB82

Function 00007FFE7E1B076A Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDesktopW.USER32 ref: 00007FFE7E1B309A

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: CreateDesktop
String ID:
API String ID: 3054513912-0
Opcode ID: e2be95d6440643b076a5072a141bb8031dea5f3c63d99b29528f10ba7c7da998
Instruction ID: 9eb1a3d4af7f5e0b6b43e8331c8bf871f05d26dc57da6d918f4b964e813501d9
Opcode Fuzzy Hash: e2be95d6440643b076a5072a141bb8031dea5f3c63d99b29528f10ba7c7da998
Instruction Fuzzy Hash: 2541AE7190CB1C8FDB58EF58D8497AAB7E0FB69311F10426FE08EE3251DB70A8458B81

Function 00007FFE7E1B1F28 Relevance: 1.6, APIs: 1, Instructions: 127
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNELBASE ref: 00007FFE7E1B1FE4

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0b9d15c590157e34e3a6b34a0935afc8bae3b55199df4e0beea3da3432b01b4e
Instruction ID: 126d425e2e1adf86addf65deaa3af8500bf29316390af23d0762219811fc8ba5
Opcode Fuzzy Hash: 0b9d15c590157e34e3a6b34a0935afc8bae3b55199df4e0beea3da3432b01b4e
Instruction Fuzzy Hash: DD312532D0CB484FDB29ABA898466FA7BE1EF55321F05023FD059C3692DF74A809C791

Function 00007FFE7E1B1E2D Relevance: 1.6, APIs: 1, Instructions: 116
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FFE7E1B1EE7

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cbc1504661cc5764579055bfb2143388a2ebd926300022efe356f56acf0fa12a
Instruction ID: fd454f7fc377a7de65abdf3a82b92953fed8787abdd6e1250f67312f3507328b
Opcode Fuzzy Hash: cbc1504661cc5764579055bfb2143388a2ebd926300022efe356f56acf0fa12a
Instruction Fuzzy Hash: 1D31283190C7884FDB1BDB6888567E97FE1EF57320F0842AFD089C71A3DA685806C752

Function 00007FFE7E1B2B8B Relevance: 1.6, APIs: 1, Instructions: 83
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFE7E1B2C3C

Memory Dump Source

Source File: 00000000.00000002.1424911377.00007FFE7E1B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7e1b0000_IWsK3V2Ul9.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 19544cb4190071a3f959e35c42c8f46cff290b9b69c47c9c73ccb739d985bd01
Instruction ID: 5c3e34e7672454137321f4bb0c2e31737f940f3079b417e539558d22d42bfcd3
Opcode Fuzzy Hash: 19544cb4190071a3f959e35c42c8f46cff290b9b69c47c9c73ccb739d985bd01
Instruction Fuzzy Hash: 21314A34508B8C8FDB65DF18C8957E97BE0FF69350F04466ED88D8B292DB34A945CB82

Analysis Process: cvtres.exePID: 1852, Parent PID: 6948COMMON

Executed Functions

Function 030D0EA8 Relevance: 2.6, Instructions: 2599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe4d849a68a5fd8f58d93e42b41df0cb0a755d6cd95fdb70f55bd21797f05b1
Instruction ID: a451da0e0844447428a1c90589309cb9cd2e5e7ce4bbafa520cf5cbb529d3549
Opcode Fuzzy Hash: dbe4d849a68a5fd8f58d93e42b41df0cb0a755d6cd95fdb70f55bd21797f05b1
Instruction Fuzzy Hash: A853D431D10B1A8ACB11EF68C890599F7B1FF99300F15D79AE4597B221EB70AAD4CF81

Function 013BF210 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\Vl, xrefs: 013BF4C7

Memory Dump Source

Source File: 00000004.00000002.3874775214.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13b0000_cvtres.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: c4e0771f6a335e6428421d38bb63fecae0882af8078bb856e8b2eb503d022ea0
Instruction ID: 8b4b5f99b6963ff05ebc6796f0dd1a0d4830caff677ccb64a9f039d271ac5c62
Opcode Fuzzy Hash: c4e0771f6a335e6428421d38bb63fecae0882af8078bb856e8b2eb503d022ea0
Instruction Fuzzy Hash: 6CB13B70E00209CFDB14CFADDC857DEBBF6AF88318F149129D519A7654EB749845CB81

Function 030D3E58 Relevance: .7, Instructions: 699COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fe26631e3632466058ff3cd9255f017bc3d6b4e344f73b471319c55a1d1b03
Instruction ID: 5ba593b24fc53102a0aa3e88300e5ec0aaa1b10d029271a395ab369ebb0958ad
Opcode Fuzzy Hash: e7fe26631e3632466058ff3cd9255f017bc3d6b4e344f73b471319c55a1d1b03
Instruction Fuzzy Hash: A262FA31D10B5A8ECB11EB78C8546A9F7B1FF9A300F11C79AE45967125FB70AAC4CB81

Function 013BA860 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3874775214.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13b0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207ddbb1a8c3ec8fa8a9d0fd73d30f96b081b9ece7207e32e61965d8c6573c7b
Instruction ID: b0e3ed0add0c0a306796c7ff5e366c790b0813411ea7642d2df108d70395857d
Opcode Fuzzy Hash: 207ddbb1a8c3ec8fa8a9d0fd73d30f96b081b9ece7207e32e61965d8c6573c7b
Instruction Fuzzy Hash: 9B12A3B05027458ED361EF65ED4C1C93BB2FB86398F904799C2612B2E9EBBC154ACF44

Function 013BFAE0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3874775214.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13b0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a1b4bce76b55c0739ab84ee335ccc6605a7fce716dbfb0bcef5c4143a93233
Instruction ID: f9ce0c919c7e008ce774fbde00150713c892946f05aa3a9509770e5b14a8ce31
Opcode Fuzzy Hash: 08a1b4bce76b55c0739ab84ee335ccc6605a7fce716dbfb0bcef5c4143a93233
Instruction Fuzzy Hash: BCB18C70E002098FDF14CFA8CC917EDBBF6AF88318F149529D915E7698EB349885CB81

Function 013BA84F Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3874775214.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13b0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f41943edbb684d97d51e316130c77e75ccc66cd4342dc0b8cabc7df0bf07d7c
Instruction ID: 51460ba198a6eb739e0a65545c8352e1c9ff57c23c5daf6b7bad54a3e569c5a7
Opcode Fuzzy Hash: 8f41943edbb684d97d51e316130c77e75ccc66cd4342dc0b8cabc7df0bf07d7c
Instruction Fuzzy Hash: EFC1F4B09027458FD721EF68ED481C97BB2FB86364F504799D2612B2E9EBBC144ACF44

Function 030D0540 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

(iq, xrefs: 030D0738
(&eq, xrefs: 030D066A

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID: (&eq$(iq
API String ID: 0-45519133
Opcode ID: bfe1efa7c9711a60705d6b5fb3c71860e3e0d9f5a249fec6214ca7da62bfdb9d
Instruction ID: 09393e0dd9c80d52e1c5d693710b74c81e4a1b7a807da61c2850639b0fd67411
Opcode Fuzzy Hash: bfe1efa7c9711a60705d6b5fb3c71860e3e0d9f5a249fec6214ca7da62bfdb9d
Instruction Fuzzy Hash: EA514D71F102199BDB55EBB9C4506AEBAF2AFD8700F148529D406BB384DF30AD46CB91

Function 030D6560 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

Teeq, xrefs: 030D668F

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID: Teeq
API String ID: 0-348098666
Opcode ID: 3ef56efa25abab60912d3ac34c86423b0cda75c413b5a608ca01ecf85805ccf2
Instruction ID: 5b19bfc8acce3bae6d025dbfca853fffbc561a1a652d76307897ff7271eab34d
Opcode Fuzzy Hash: 3ef56efa25abab60912d3ac34c86423b0cda75c413b5a608ca01ecf85805ccf2
Instruction Fuzzy Hash: 92717E71A003198FDB14DFA9C894A5EFBF6FF88304F558568D806AB3A5DB71AC44CB90

Function 030D6549 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

Teeq, xrefs: 030D668F

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID: Teeq
API String ID: 0-348098666
Opcode ID: 6dac4c4c33e39bcdce7860077a2d49b98c79905ae00830589006574de8b82454
Instruction ID: b67f6a8b1dcff61bb27d36bbe5e3b94a10107bde104a6797f92410ca07d85d9d
Opcode Fuzzy Hash: 6dac4c4c33e39bcdce7860077a2d49b98c79905ae00830589006574de8b82454
Instruction Fuzzy Hash: 9D617F75E013098FDB54CFA9C894A9AFBF6BF88300F158169D405AB3A5DB71AD44CB90

Function 030D63E8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

Teeq, xrefs: 030D645F

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID: Teeq
API String ID: 0-348098666
Opcode ID: 7c98d27a1ae42ff557984b16a689c7f367013e0eed8adce8789de05bd58e5b1f
Instruction ID: ff62993bd207887370117838096417964058c865695a42d82c8f529ee22bc6c6
Opcode Fuzzy Hash: 7c98d27a1ae42ff557984b16a689c7f367013e0eed8adce8789de05bd58e5b1f
Instruction Fuzzy Hash: 8041AE70B102149FDB54DB69D894B6DBBF6BF88710F5440A9E905EB3A5CF72AD40CB80

Function 030D0A28 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7e904ca367a8bc42c3d051251573849c8d3a9ce921e644b56911ea2c08c23b
Instruction ID: 7a4593b82b96defdb85e2c7fdf0408983599546f731d7a26ec68104accf53e4c
Opcode Fuzzy Hash: af7e904ca367a8bc42c3d051251573849c8d3a9ce921e644b56911ea2c08c23b
Instruction Fuzzy Hash: E401FC362093956FCB03DF686C145AD7FB6EF86210B05849BD544CB1A3DA314819C7A6

Function 030D5C33 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c532b78ddc435da70bb0590084a3e10bccc146451d7d65ec1173035ce82e0aa
Instruction ID: 63ec9c28965c42c2504c3ea25483f93fd153e07f42f3d97fa7fbcfa001fb3521
Opcode Fuzzy Hash: 7c532b78ddc435da70bb0590084a3e10bccc146451d7d65ec1173035ce82e0aa
Instruction Fuzzy Hash: 4141E374B207199BCB06EB68D85475EBBB7FF89300F208116E814A7399DF759C818B90

Function 030D0531 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433d38cbc2ae1f1f734d62f55634a4ad4e8f3f295962cbccd15664347cec7dd4
Instruction ID: 588f8b148e5ee2200b208dec6f4f073906aa8e84ab1c780b3de61a0ea234e482
Opcode Fuzzy Hash: 433d38cbc2ae1f1f734d62f55634a4ad4e8f3f295962cbccd15664347cec7dd4
Instruction Fuzzy Hash: 5B413171E013199BDB14DFA5C890BDEFBF5EF88700F288129E405BB254EB71A946CB90

Function 030D0E99 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d969a8ab7ea0fbee34da84a44ff14e78a62f90effccd1192faa2ccb6dbf96c57
Instruction ID: b495a189d77c4abf7b91470aa8838c25c024248b44c92fef1462a1c9a14b046f
Opcode Fuzzy Hash: d969a8ab7ea0fbee34da84a44ff14e78a62f90effccd1192faa2ccb6dbf96c57
Instruction Fuzzy Hash: 2B418270A01205CBDB44EF69D884799BBF6FF88300F14C565D908AF39AEBB5E941CB90

Function 0135D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3874582061.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_135d000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10291247ec36154af0c3129a68afcee370fad1501c1cb3c64ff9302b0704fe14
Instruction ID: 39784d5cc8f281745cc7e72bb8ebbebc6e2c56586e3dc21bfa528660e76cf95e
Opcode Fuzzy Hash: 10291247ec36154af0c3129a68afcee370fad1501c1cb3c64ff9302b0704fe14
Instruction Fuzzy Hash: 24214371104204DFDB51DF58D9C0F26BB69FB84B68F20C569EC090B342C33AD407CAA2

Function 0135D1CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3874582061.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_135d000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9a298dad4c8f16bfd3b7853e7ee2c60eca233dcac5ca519d879240e1992101
Instruction ID: d9d8ad07f3742e0fe2e08e28bb22dd088e99463a46f0619b5a34cbca0e046099
Opcode Fuzzy Hash: ff9a298dad4c8f16bfd3b7853e7ee2c60eca233dcac5ca519d879240e1992101
Instruction Fuzzy Hash: 9C21F2B5504204DFDB45DF98D980F26BB65FB88B28F24C96DDC094B246C73AD846CA61

Function 0135D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3874582061.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_135d000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f168da165589dfdef4a43e57e8d8c013432e9dfc6428f86b001ad7f8ffcfbf38
Instruction ID: 4a399b3cc091fb15ddd2cb7f57047a7220186b2f73b04b38160ca01706fc631c
Opcode Fuzzy Hash: f168da165589dfdef4a43e57e8d8c013432e9dfc6428f86b001ad7f8ffcfbf38
Instruction Fuzzy Hash: F121D2765093808FDB13CF24D994B15BF71FB86314F28C5EAD8488B693C33A940ACB62

Function 030D0DE9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08509a3b5207146dd4bda29a8c35c95209e2ab1c7f3e658b530a0d277a159d3b
Instruction ID: 6d37832a12047a7165291a74bb4fb141dffdaa750dccb34bd51bc7217ea5ad30
Opcode Fuzzy Hash: 08509a3b5207146dd4bda29a8c35c95209e2ab1c7f3e658b530a0d277a159d3b
Instruction Fuzzy Hash: 861103768002499FDB10CF99D945BDEBBF4EB48320F14841AE918A7210C335A954DFA5

Function 0135D1C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3874582061.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_135d000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 5996d0f7b6620ebe7f90b78a57129a3a4c9313fe0a1b58c80249fd90d71c6c73
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 4711BB75504280DFDB02CF54D5C4B15BBB1FB84728F24C6ADDC094B256C33AD84ACBA1

Function 030D0DF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603d125cde0017e5e8a45791934bbcd44ff21f7d4f0768b797a678629a2573e0
Instruction ID: 530709c2d7c21cb6474de594c5e280293f072e11d29900da45da5de9ce1cd974
Opcode Fuzzy Hash: 603d125cde0017e5e8a45791934bbcd44ff21f7d4f0768b797a678629a2573e0
Instruction Fuzzy Hash: 531104B6800249DFDB10CF99D945BDEBFF4EF48320F14841AE918A7250C339A554DFA5

Function 030D6890 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3875655078.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_30d0000_cvtres.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e2124a597aa76dcf5d91eb731935ac167b280f7040c899f8583c10be8be49e
Instruction ID: 30619daa548958b3ea0f7202b9ab31f3a2905a6fb47d6ecc3adcfa6c52df4a91
Opcode Fuzzy Hash: 29e2124a597aa76dcf5d91eb731935ac167b280f7040c899f8583c10be8be49e
Instruction Fuzzy Hash: B9E01776741204CFC718EBA8F4944A8B732FF8479D360897AC9094B340DB369C15DF40

Non-executed Functions

Function 013BEEC8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vl, xrefs: 013BF113

Memory Dump Source

Source File: 00000004.00000002.3874775214.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13b0000_cvtres.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: 7e52d11eddd3947e4bbe3a8fbc4b37bbd4794bed5a6689cf478d2cbbfe5cbe33
Instruction ID: 144b9990c01518f5b1d59560f88c6b7dbea9bcec3be42eb7f8dcf0c7096f07be
Opcode Fuzzy Hash: 7e52d11eddd3947e4bbe3a8fbc4b37bbd4794bed5a6689cf478d2cbbfe5cbe33
Instruction Fuzzy Hash: 52917C70E002099FDF14CFACD9C17DEBBF6AF88318F148529E505AB6A4EB749845CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IWsK3V2Ul9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: ArrowRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\IWsK3V2Ul9.exe.log

C:\Users\user\AppData\Local\Temp\TMP_pass

C:\Users\user\AppData\Roaming\temp0923

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
IWsK3V2Ul9.exe

Function 00007FFE7E1B2E69 Relevance: 1.8, APIs: 1, Instructions: 292
COMMON

Function 00007FFE7E1B213A Relevance: 2.0, APIs: 1, Instructions: 517
memoryCOMMON

Function 00007FFE7E1B2544 Relevance: 1.6, APIs: 1, Instructions: 148
injectionCOMMON

Function 00007FFE7E1B2FA5 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Function 00007FFE7E1B2681 Relevance: 1.6, APIs: 1, Instructions: 141
COMMON

Function 00007FFE7E1B076A Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Function 00007FFE7E1B1F28 Relevance: 1.6, APIs: 1, Instructions: 127
threadCOMMON

Function 00007FFE7E1B1E2D Relevance: 1.6, APIs: 1, Instructions: 116
threadCOMMON

Function 00007FFE7E1B2B8B Relevance: 1.6, APIs: 1, Instructions: 83
processCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre